[0/8,F] Kernel hardening config changes

Message ID	20200119131029.23160-1-tyhicks@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Tyler Hicks <tyhicks@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/8][F] Kernel hardening config changes Date: Sun, 19 Jan 2020 13:10:21 +0000 Message-Id: <20200119131029.23160-1-tyhicks@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	Kernel hardening config changes \| expand [0/8,F] Kernel hardening config changes [1/8] UBUNTU: [Config] Fix typo in annotations file [2/8] UBUNTU: [Config] Enable linked list manipulation checks [3/8] UBUNTU: [Config] Enable cred sanity checks [4/8] UBUNTU: [Config] Enable scatterlist validation [5/8] UBUNTU: [Config] Enable notifier call chain validations [6/8] UBUNTU: [Config] Enforce filtered access to iomem [7/8] UBUNTU: [Config] Disable legacy PTY naming [8/8] UBUNTU: [Config] Disable the uselib system call

Message ID

20200119131029.23160-1-tyhicks@canonical.com

Headers

From: Tyler Hicks <tyhicks@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 0/8][F] Kernel hardening config changes
Date: Sun, 19 Jan 2020 13:10:21 +0000
Message-Id: <20200119131029.23160-1-tyhicks@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

Kernel hardening config changes | expand

Message

Tyler Hicks Jan. 19, 2020, 1:10 p.m. UTC

Adjust seven config options in order to follow best practices for kernel
hardening. Some options are useful to prevent attacks (run-time sanity
checks, reduce attack surface, etc.) while others are useful to detect
attacks using logged information.

These changes follow the recommendations of the Kernel Self Protection
Project:

 https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

None of these changes should have a noticeable affect on performance.

Tyler

Tyler Hicks (8):
  UBUNTU: [Config] Fix typo in annotations file
  UBUNTU: [Config] Enable linked list manipulation checks
  UBUNTU: [Config] Enable cred sanity checks
  UBUNTU: [Config] Enable scatterlist validation
  UBUNTU: [Config] Enable notifier call chain validations
  UBUNTU: [Config] Enforce filtered access to iomem
  UBUNTU: [Config] Disable legacy PTY naming
  UBUNTU: [Config] Disable the uselib system call

 debian.master/config/annotations          | 24 ++++++++++++++---------
 debian.master/config/config.common.ubuntu | 15 +++++++-------
 2 files changed, 22 insertions(+), 17 deletions(-)

Comments

Seth Forshee Jan. 21, 2020, 11:17 p.m. UTC | #1

On Sun, Jan 19, 2020 at 01:10:21PM +0000, Tyler Hicks wrote:
> Adjust seven config options in order to follow best practices for kernel
> hardening. Some options are useful to prevent attacks (run-time sanity
> checks, reduce attack surface, etc.) while others are useful to detect
> attacks using logged information.
> 
> These changes follow the recommendations of the Kernel Self Protection
> Project:
> 
>  https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
> 
> None of these changes should have a noticeable affect on performance.

Applied to focal/master-next, thanks!