webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Kernel: Block non-UID-0 profiling completely

Browse Source 
This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.

The second version of this patch rebases the kernel patch by Jeff
Vander Stoep against Linux 5.15.17 to avoid fuzzying.

Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This commit is contained in:
Peter Müller
2022-02-11 19:42:57 +00:00
parent 88a7b2d34b
commit 400c4e8edb
3 changed files with 81 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lfs/linux
View File

@@ -137,6 +137,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# fix Boot with enabled usercopy hardening
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
# Patch performance monitoring restrictions to allow further hardening
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
ifeq "$(BUILD_ARCH)" "armv6l"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1