From patchwork Sun Jan 19 13:10:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Hicks X-Patchwork-Id: 1225445 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 480wCh1mmXz9sRG; Mon, 20 Jan 2020 00:10:54 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1itALm-0007EQ-DY; Sun, 19 Jan 2020 13:10:46 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1itALl-0007EK-E8 for kernel-team@lists.ubuntu.com; Sun, 19 Jan 2020 13:10:45 +0000 Received: from 2.general.tyhicks.uk.vpn ([10.172.192.53] helo=sec.lxd) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1itALk-0004re-F0; Sun, 19 Jan 2020 13:10:45 +0000 From: Tyler Hicks To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/8][F] Kernel hardening config changes Date: Sun, 19 Jan 2020 13:10:21 +0000 Message-Id: <20200119131029.23160-1-tyhicks@canonical.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Adjust seven config options in order to follow best practices for kernel hardening. Some options are useful to prevent attacks (run-time sanity checks, reduce attack surface, etc.) while others are useful to detect attacks using logged information. These changes follow the recommendations of the Kernel Self Protection Project: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings None of these changes should have a noticeable affect on performance. Tyler Tyler Hicks (8): UBUNTU: [Config] Fix typo in annotations file UBUNTU: [Config] Enable linked list manipulation checks UBUNTU: [Config] Enable cred sanity checks UBUNTU: [Config] Enable scatterlist validation UBUNTU: [Config] Enable notifier call chain validations UBUNTU: [Config] Enforce filtered access to iomem UBUNTU: [Config] Disable legacy PTY naming UBUNTU: [Config] Disable the uselib system call debian.master/config/annotations | 24 ++++++++++++++--------- debian.master/config/config.common.ubuntu | 15 +++++++------- 2 files changed, 22 insertions(+), 17 deletions(-)