From the kernel documentation:
> Driver for the internal USB role switch for switching the USB data
> lines between the xHCI host controller and the dwc3 gadget controller
> found on various Intel SoCs. [...]
This may unblock USB-LAN-adaptor usage on certain boards, as reported
once in #12750. Overall affected devices seem to be scanty;
nevertheless, enabling this as a module only is highly unlikely to cause
any harm, so let's give it a try.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Compiling the kernel has automatically introduced
CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to
be confused with its stackleak counterpart). However, according to
related documentation, this neither introduces a security nor
performance disadvantage.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
It does not generate cryptographically secure entropy.
Backported from IPFire 3.x as 6aea180b26906f001611dcc0c54f494818069d8c.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
This patch also compiles all sorts of device mapper stuff as modules.
Backported from IPFire 3.x as 6fe31a44d07d8705ca7713c449ccbb3dbb9684a0.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
This is disabled in IPFire 3.x, and projects such as grsecurity
recommend doing so for security reasons as well. Also, skimming through
our source code, there is no point where this ACPI configfs would have
been explicitly mounted, which leads to the assumption that we never
used it anyway.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
From the kernel's documentation:
> Landlock is a sandboxing mechanism that enables processes to restrict
> themselves (and their future children) by gradually enforcing
> tailored access control policies. A Landlock security policy is a
> set of access rights (e.g. open a file in read-only, make a
> directory, etc.) tied to a file hierarchy. Such policy can be
> configured and enforced by any processes for themselves using the
> dedicated system calls: landlock_create_ruleset(),
> landlock_add_rule(), and landlock_restrict_self().
There is no harm in enabling this security feature, so applications
supporting Landlock can benefit from it.
Rolled forward from https://patchwork.ipfire.org/project/ipfire/patch/d7ac0caf-5a7c-bcca-6293-16c773523942@ipfire.org/
to submit all kernel-related changes as a single patchset.
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
From the kernels' documentation:
> Uprobes is the user-space counterpart to kprobes: they
> enable instrumentation applications (such as 'perf probe')
> to establish unintrusive probes in user-space binaries and
> libraries, by executing handler functions when the probes
> are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints,
> managed by the kernel and kept transparent to the probed
> application. )
To the best of the authors' understanding, no application on IPFire
needs this functionality, and given its abuse potential, we should
probably not enable it.
As expected, strace functionality is not impaired by this.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
According to the kernel's documentation,
> debugfs is a virtual file system that kernel developers use to put
> debugging files into. Enable this option to be able to read and
> write to these files.
There is no legitimate reason why one has to do so on an IPFire machine.
Further, the vast debugging options (i.e. related to various drivers)
have never been enabled, limiting the use of this virtual file system
even further.
This patch therefore proposes to disable it entirely, since its
potential security impact outweights its benefits. Due to operational
constraints, changes to ARM kernel configurations will be made if this
patch is approved for x86_64.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
From the kernel documentation:
> For reduced kernel memory fragmentation, slab caches can be
> merged when they share the same size and other characteristics.
> This carries a risk of kernel heap overflows being able to
> overwrite objects from merged caches (and more easily control
> cache layout), which makes such heap attacks easier to exploit
> by attackers. By keeping caches unmerged, these kinds of exploits
> can usually only damage objects in the same cache. [...]
Thus, it is more sane to leave slab merging disabled. KSPP and ClipOS
recommend this as well.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
To quote from the kernel documentation:
> If you say Y here, the layouts of structures that are entirely
> function pointers (and have not been manually annotated with
> __no_randomize_layout), or structures that have been explicitly
> marked with __randomize_layout, will be randomized at compile-time.
> This can introduce the requirement of an additional information
> exposure vulnerability for exploits targeting these structure
> types.
>
> Enabling this feature will introduce some performance impact,
> slightly increase memory usage, and prevent the use of forensic
> tools like Volatility against the system (unless the kernel
> source tree isn't cleaned after kernel installation).
>
> The seed used for compilation is located at
> scripts/gcc-plgins/randomize_layout_seed.h. It remains after
> a make clean to allow for external modules to be compiled with
> the existing seed and will be removed by a make mrproper or
> make distclean.
>
> Note that the implementation requires gcc 4.7 or newer.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
If available, the kernel will enable IOMMU (a/k/a DMA remapping) by
default on boot. To tools making use of that, particularly hypervisors,
this provides better security without any downsides.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.
The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.
As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.
Fixes: #12889
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
