Kernel hardening: restricts loading TTY line disciplines
Current scope
We can try this sysctl setting that can improve security:
dev.tty.ldisc_autoload = 0
This restricts loading TTY line disciplines to the CAP_SYS_MODULE capability. It protects from exploits like https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html. No performance impact. No functionality impact. See https://lkml.org/lkml/2019/4/15/890
Dismissed
-
page_alloc.shuffle=1
: tracked on #18886 (closed) -
lockdown=confidentiality
: breaks suspend (so laptops won't go to sleep)
Original description
We can improve kernel security with a few kernel boot parameters (passed by the bootloader):
page_alloc.shuffle=1
This enables randomization of the freelist allocator. Performance is often improved by this option, but is occasionally reduced on some hardware. In this case of Tails' workload, perf hit is undetectable. See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
lockdown=confidentiality
This enables kernel lockdown (https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html) which disables features that allow a userspace process to compromise the kernel. It does disable loading of unsigned modules, so if signed modules ever need to be loaded, then this feature can be enabled at runtime by writing "confidentiality" to /sys/kernel/security/lockdown after the module is loaded. Performance is unaffected.
There is also a sysctl setting that can improve security:
dev.tty.ldisc_autoload = 0
This restricts loading TTY line disciplines to the CAP_SYS_MODULE capability. It protects from exploits like https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html. No performance impact. No functionality impact. See https://lkml.org/lkml/2019/4/15/890