Re: Linux kernel hardening - link restrictions
On Fri, Mar 02, 2012 at 05:11:58AM +0000, Ben Hutchings wrote:
> The longstanding link restriction patches were recently accepted by
> Andrew Morton and are likely to end up in Linux 3.4. I've applied
> these to src:linux-2.6 in svn and they should end up in the upcoming
> version 3.2.9-1.
That's excellent news! (I am biased, obviously.)
> We know that these are going to break some programs, most notably
> 'at' (#597130, fixed in wheezy/sid). But of course it's possible
> to work around that by disabling the restriction, so I don't think
> this should result in a 'Breaks' relation.
FWIW, as some background, "at" is the only package that I'm aware of
breaking across 1.5 years of (a version of) this patch living in Ubuntu,
and in many more years living in Openwall Linux and grsecurity. So I
feel like "going to break some" is strong. :)
> I'm therefore intending to warn about this with the following NEWS
> entry in the linux-image metapackages:
> Index: debian/linux-image.NEWS
> --- debian/linux-image.NEWS (revision 18757)
> +++ debian/linux-image.NEWS (working copy)
> @@ -1,3 +1,18 @@
> +linux-latest (44) unstable; urgency=low
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.
> + These restrictions may cause some legitimate programs to fail.
> + In particular, if the 'at' package is installed, you should either:
> + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> + or:
> + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> + -- Ben Hutchings <email@example.com> Fri, 02 Mar 2012 04:58:24 +0000
This seems like a sensible NEWS item to me. The use of "may break"
seems better than "going to break some".
> linux-latest-2.6 (26) unstable; urgency=low
> * The old IDE (PATA) drivers are no longer developed. Most PATA
> --- END ---
> (Why in the metapackages, you ask? Because apt-listchanges shows NEWS
> from upgraded packages, not new packages.)
> Does anyone have a better idea how to do this? Know about other
> packages that are affected?
It's a trivial patch to fix "at". How about just backporting that
change to stable, to avoid that known trouble too? This is what Ubuntu
did for the Lucid LTS release that was getting backported kernels (with
link restrictions) built for it.
Kees Cook @debian.org