Set resource limits
Currently, Tails does no resource limitation, even though it is
supported by PAM through the
/etc/security/limits.conf file. The
rlimits primarily reduce the risk of DoS through, say, fork bombs, and
it can reduce vulnerabilities. Some examples:
- RLIMIT_STACK can mitigate various ASLR-exhaustion attacks.
- RLIMIT_AS can mitigate some types of integer overflows (such as the RCE libotr had, or the large number of X11 extension vulnerabilities).
- RLIMIT_NICE can make some side-channel attacks a bit harder.
- RLIMIT_CORE can allow debugging crashes that were potentially caused by exploits.
- RLIMIT_NPROC can mitigate many of the easiest forms of DoSes, as well as make side-channel attacks harder.
- RLIMIT_CPU can make side-channel attacks and attacks like rowhammer harder, when used wisely.
Resource limits can be applied to users or groups, though the
prlimit64() syscall can be used to set it for processes which are
already running. I suggest limiting AS for all processes but the browser
(as it is the most likely to have a legitimate need to eat up lots of
memory) and similar bloated beasts, the number of processes for the
amnesia user, and the stack size and niceness for all processes (setting
it to even 8 MiB would be enough). The core limit should be lifted or
made very liberal, and coredumps configured to log to journald. I assume
coredumps logged there are not readable by unprivileged users (to
prevent, say, sending SIGSEGV to a victim process in order to read
potentially sensitive memory contents). Reducing other limits can be
done as deemed safe. Individual sensitive users can be restricted more,
such as the debian-tor user.
Please consider taking advantage of this simple but useful PAM feature.