Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 971
    • Issues 971
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 24
    • Merge requests 24
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #18302
Closed
Open
Issue created May 06, 2021 by cypher punks@cypherpunks2

Kernel hardening: restricts loading TTY line disciplines

Current scope

We can try this sysctl setting that can improve security:

dev.tty.ldisc_autoload = 0

This restricts loading TTY line disciplines to the CAP_SYS_MODULE capability. It protects from exploits like https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html. No performance impact. No functionality impact. See https://lkml.org/lkml/2019/4/15/890

Dismissed

  • page_alloc.shuffle=1: tracked on #18886 (closed)
  • lockdown=confidentiality: breaks suspend (so laptops won't go to sleep)

Original description

We can improve kernel security with a few kernel boot parameters (passed by the bootloader):

page_alloc.shuffle=1

This enables randomization of the freelist allocator. Performance is often improved by this option, but is occasionally reduced on some hardware. In this case of Tails' workload, perf hit is undetectable. See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692

lockdown=confidentiality

This enables kernel lockdown (https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html) which disables features that allow a userspace process to compromise the kernel. It does disable loading of unsigned modules, so if signed modules ever need to be loaded, then this feature can be enabled at runtime by writing "confidentiality" to /sys/kernel/security/lockdown after the module is loaded. Performance is unaffected.

There is also a sysctl setting that can improve security:

dev.tty.ldisc_autoload = 0

This restricts loading TTY line disciplines to the CAP_SYS_MODULE capability. It protects from exploits like https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html. No performance impact. No functionality impact. See https://lkml.org/lkml/2019/4/15/890

Edited Jun 09, 2022 by intrigeri
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking