webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,722 Commits 2 Branches 1 Tag
main
Commit Graph

33 Commits

Author SHA1 Message Date
Arne Fitzenreiter
8c43d1481a kernel: update to 6.6.15 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-02-02 07:52:09 +00:00
Arne Fitzenreiter
0722f42ed2 kernel: update to 6.6.13 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-21 19:10:22 +01:00
Peter Müller
bca096b453 linux: Forbid legacy TIOCSTI usage 
To quote from the kernel documentation:

> Historically the kernel has allowed TIOCSTI, which will push
> characters into a controlling TTY. This continues to be used
> as a malicious privilege escalation mechanism, and provides no
> meaningful real-world utility any more. Its use is considered
> a dangerous legacy operation, and can be disabled on most
> systems.
>
> Say Y here only if you have confirmed that your system's
> userspace depends on this functionality to continue operating
> normally.
>
> Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can
> use TIOCSTI even when this is set to N.
>
> This functionality can be changed at runtime with the
> dev.tty.legacy_tiocsti sysctl. This configuration option sets
> the default value of the sysctl.

This patch therefore proposes to no longer allow legacy TIOCSTI usage
in IPFire, given its security implications and the apparent lack of
legitimate usage.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2024-01-16 15:46:37 +00:00
Arne Fitzenreiter
a93525c0ca kernel: update to 6.6.12 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-16 12:41:08 +01:00
Arne Fitzenreiter
19e66d7e2b kernel: update to 6.6.11 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-11 10:30:13 +01:00
Arne Fitzenreiter
d303f7c154 kernel: update to 6.6.10 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-07 16:08:31 +01:00
Arne Fitzenreiter
a7c9eca495 kernel: update to 6.6.4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:17:40 +00:00
Arne Fitzenreiter
941190cb3a kernel: update to 6.6.3 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-12-05 17:17:35 +00:00
Arne Fitzenreiter
95f9d9350d kernel: update to 6.6.2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:15:48 +00:00
Arne Fitzenreiter
cfe911bab5 kernel: update to 6.1.60 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-27 08:43:35 +00:00
Arne Fitzenreiter
cce398bca5 kernel: update to 6.1.59 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Arne Fitzenreiter
2b834ef42a kernel: update to 6.1.58 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Arne Fitzenreiter
554e339b9e kernel: update to 6.1.57 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-13 08:13:12 +00:00
Arne Fitzenreiter
e275a07b67 kernel: update to 6.1.56 
this also builds the dtb files on riscv64

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-09 08:13:02 +00:00
Arne Fitzenreiter
e5ad33d9ee kernel: update 6.1.53 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:29 +00:00
Arne Fitzenreiter
14bd32221e kernel: update to 6.1.52 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:23 +00:00
Arne Fitzenreiter
57ae9ba587 kernel: update config for riscv64 
i had disabled CONFIG_GCC_PLUGIN_LATENT_ENTROPY because this
fails to compile on riscv64.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-08-10 06:35:11 +00:00
Peter Müller
e08399ddd3 linux: Trigger a BUG() when corruption of kernel data structures is detected 
Given that this will merely log such an incident, this can be safely
enabled.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-07-13 14:20:48 +00:00
Arne Fitzenreiter
54364fac8c kernel: update riscv64 config and rootfiles 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-02-21 10:15:36 +00:00
Peter Müller
d33651d74f linux: Prepare CONFIG_DEBUG_FS disabling on non-x86_64 architectures 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-09-20 14:30:28 +00:00
Peter Müller
26a91db187 Revert "Revert "linux: Do not allow slab caches to be merged"" 
This reverts commit 1695af3862.

https://lists.ipfire.org/pipermail/development/2022-August/014112.html
 2022-08-09 09:29:42 +00:00
Peter Müller
1695af3862 Revert "linux: Do not allow slab caches to be merged" 
This reverts commit 06b4164dfe.
 2022-08-08 10:10:17 +00:00
Peter Müller
06b4164dfe linux: Do not allow slab caches to be merged 
From the kernel documentation:

> For reduced kernel memory fragmentation, slab caches can be
> merged when they share the same size and other characteristics.
> This carries a risk of kernel heap overflows being able to
> overwrite objects from merged caches (and more easily control
> cache layout), which makes such heap attacks easier to exploit
> by attackers. By keeping caches unmerged, these kinds of exploits
> can usually only damage objects in the same cache. [...]

Thus, it is more sane to leave slab merging disabled. KSPP and ClipOS
recommend this as well.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-08-06 13:51:02 +00:00
Peter Müller
38a5d03f59 linux: Enable PCI passthrough for QEMU 
Fixes: #12754
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-08-03 10:57:05 +00:00
Peter Müller
0664b1720d linux: Amend upstream patch to harden mount points of /dev 
This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.

The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.

As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.

Fixes: #12889
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-06-25 22:20:48 +00:00
Peter Müller
883e29630c Kernel: Disable support for RPC dprintk debugging 
This is solely needed for debugging of NFS issues. Due to the attack
surface it introduces, grsecurity recommends to disable it; as we do not
have a strict necessity for this feature, it is best to follow that
recommendation for security reasons.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-06-13 15:39:23 +00:00
Peter Müller
9b28e9d02b Kernel: Enable YAMA support 
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
the upstream rationale. Enabling YAMA gives us the benefit of additional
hardening options available, without any obvious downsides.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-06-13 15:39:08 +00:00
Peter Müller
250f6efc38 kernel: Do not enforce "integrity" mode of LSM 
LSM was found to render firmware flashing unusable, and patching out LSM
functionality for all features needed (such as /dev/io, direct memory
access and probably raw PCI access for older cards), this would
effectively render much of LSM's functionality useless as well.

For the time being, we do ship LSM, but do not enforce any protection
mode. Users hence can run it in "integrity" or even "confidentiality"
mode by custom commands; hopefully, we will be able to revert this
change at a future point.

Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-04-21 19:30:42 +00:00
Peter Müller
8e1a464d12 Kernel: Enable LSM support and set security level to "integrity" 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-06 20:04:04 +00:00
Peter Müller
4f4422cc1c Kernel: Do not automatically load TTY line disciplines, only if necessary 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-04-04 19:59:39 +00:00
Peter Müller
bf2d8cb8a0 Kernel: Disable support for tracing block I/O actions 
This is not needed on IPFire systems, and grsecurity recommends to turn
this off.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-04 19:59:15 +00:00
Peter Müller
26ca63592d Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits 
This follows a recommendation by ClipOS, making ASLR bypassing attempts
harder.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-04 19:59:08 +00:00
Michael Tremer
5c1a1094ed kernel: Add a basic configuration for riscv64 
This kernel configuration is a copy of our kernel configuration for
x86_64 on which I ran "make olddefconfig" which will set any unknown
values to their defaults.

This exists so that we have some kernel (which I did not try to boot) to
complete the build process.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-02-22 19:41:39 +00:00