-----BEGIN PGP SIGNED MESSAGE-----
[adding the ITP bug on CC]
On Mon, 2019-01-14 at 10:24 -0800, Matt Taggart wrote:
> I just found out about your hardening-runtime package, it's great!
> A while back I created a package with similar intent named lockdown.
Nice, I didn't know about it, thanks for the pointer.
> (although now there is a linux lockdown https://lwn.net/Articles/750761/
> so I might rename it).
> I've been meaning to get back to working on it, I have some other ideas
> about locking out some old networking protocols and other junk.
> Take a look and tell me what you think, maybe it's interesting to merge
> them? (or at the very least I will add a dependency to pull yours in).
I have to admit I'm not sure I like the whole initscript thing, and prefer the
configuration file approach. Regarding the current features:
kernel.kexec_load_disabled=1 and kernel.unprivileged_bpf_disabled=1 are in
kernel.modules_disabled is not. Starting with Buster unsigned modules won't
load by default so part of the feature (not loading random kernel modules even
if you have CAP_SYS_ADMIN) will be enabled. For the rest (not loading signed
modules for vulnerable stuff, for example), I think it would make more sense
to load the required module in the initramfs and set the setting there.
This could be done by a special initramfs hook and adding all the whitelisted
modules in /etc/initramfs-tools/modules but it has to be done manually.
All in all:
- - I don't think it really make sense to have both lockdown and hardening-
runtime (it doesn't hurt that much but still it's duplicate work)
- - hardening-runtime supports more stuff (sysctl settings and kernel command
line) than lockdown at the moment
I think it would make more sense to migrate the modules_disabled part to
hardening-runtime and I would happily welcome co-maintainership on this if
you're interested. Obviously that's my opinion and I can understand if you're
reluctant on that :)
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----