From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2F345138334 for ; Fri, 3 Jan 2020 22:32:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D9DCBE0940; Fri, 3 Jan 2020 22:32:34 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4276AE093A for ; Fri, 3 Jan 2020 22:32:33 +0000 (UTC) Received: from [192.168.6.147] ([212.159.46.162]) by mrelayeu.kundenserver.de (mreue109 [213.165.67.115]) with ESMTPSA (Nemesis) id 1MS3rB-1jArDx1D9H-00TQTz for ; Fri, 03 Jan 2020 23:32:30 +0100 Subject: Re: [gentoo-dev] Vanilla sources To: gentoo-dev@lists.gentoo.org References: <3197490.ugo6OjCCXa@daneel.sf-tec.de> <1794534.0xJHuh4lKC@crazyhorse> <19015309.XG3PSQ8cOu@daneel.sf-tec.de> <5537134e-0412-862d-e105-94c678229b46@gentoo.org> <2dd351b3-0f71-4960-ffde-2f5a99ab161d@gentoo.org> <9b48db99-19dc-617b-c0d4-ffa0216b43be@gentoo.org> From: Michael 'veremitz' Everitt Openpgp: preference=signencrypt Autocrypt: addr=gentoo@veremit.xyz; keydata= xsFNBFYW4iYBEACe6tybDDxhSUbyakb9YmxLWqm99vCpHTdSPTpZnlsLqD9bufySCSUdly+Q op5P0Kef4wzpEfrpGCf4UPBWlOdjvz5aOapltlXoSXjVbZXhnKuR1tLNiwJyTYLlADeI5T3u vHN58gvxfKzJa8wTwr2uzqS4DynnKaRin8YETlVWlchIufXAgdxAgImbhB+T67z7E1qZbreI IOl6jWcA/FQ7qQKEGSXC+b6XCDedFXutAwfVa8/EvAJ/SOtft2XVFs5GCp2wcQi0qyAdUzvM ADKWcka2NxGpobh1gVMuypr1G4e+NX0dlNeYi61UpFvAeg4xremkxtkIvGoGlKLBwWO4bF9D TIufW+Gbjdg1puyYUVZ3QgnlJ4hjj2tQvgJttxEZRWnblMA6q0LFjMI6o3vcqi/yN6WWgpnB DQZ3S2WXcpejrvX7zz4Q/Tz3Mv1O7rfB9c3cb1CxQhn/7jTQnWHiOMbfFd9gZr+KJSt0EhqU yCVhxWy3eZL8+vwJFg9aGLN6/eXwVpDcLRBdQ9cFewGYW3WU/OhaGmpoTbqUn/m90lym4XcQ HTEWtwbjZZHjeR2h4k5VAcgTYxLgtLkVX7wSuXpH2OX1jhlbiwdqBL5gM4EfPU/jxZxtUCkF NCC1qgTkRXjICbPA5Np9+J0Vl37Cuqw9n2U14ig7cJ4hI5098QARAQABzSdNaWNoYWVsIEog RXZlcml0dCA8bS5qLmV2ZXJpdHRAaWVlLm9yZz7CwYAEEwEIACoCGwMFCwkIBwMFFQoJCAsF FgIDAQACHgECF4ACGQEFAlxfXjYFCQoK4xAACgkQTDAzT5PCI3G/Xg//dvyjd9BeeTchLweU VUV/M7CDwssmWfpTXHBRjRm7CpQ5cisEWtzxxBvtnhaIsqNgySYKfZZmt22j3FdfB9BVcuBp 5fXnAnrz23PhVO8m5AbzJbBJbUVayi7E5b+v8nBvNDuRW931G5DwhGRqwe44RM32CzGyG1aj pbyMcLavbpJadn3fx7UfRjecrzI8GUaWDme7eKFiPik6xK1zKWZzSZGjz9kOT73l9ZwsETub G/6GRryOwSmhJCtUe+LqWNRjpfXQLnaGkbopGwIkP5G7nL/yIi8aCricyLHy0inHKjOz9qBr ytw0A+vCbofDMLHIe9xDOj1QOXl0qMvai7wVgV9947i7auv3/GA5J89tqleDf+bW2ROj9m0k OzDiOM5hG7ZAhBdbNkjmLo9IcqF4WfkGKfQ0El1FJFXP1lfo6s9Gf+dLhiRpUyGN0CxdZBc7 4+wkKmLaabGM7Ekgzum3sVQFg6G6b4C06Ylq/EnyO9DBDP/cYg7uJfnZHUnNoq81jiHe4GGE 1Q2YZxeT5l7DCataU1Fdt+tmKMHaIyiQGldAjeDYzhxxvCJr9AGZyu0g/JfcJhE6w2AlDs+z UW7vJPJs/AJEHZ7Eavnev+3Iu/tTxt1gfVAu0JCRH9xhiGnItEk9AGc5NPOC8/9W5xuZClHs XwJ+olbaMGFfQ5dbnS7OwU0EVhbiJgEQAMactX37YQEVejQ0IM+Jhk0mpqV3SR/O8CkaibX4 JlGqg/N0jg42W+nqCe2jeDshP096x64Yublz+4ou79kFcSbLid/kp/E6P5k0LW6kTRvd2hdj v73cGXKbRZ7UiESXsj4od+yMZ4izbKD9l1wa7LVtr87eO58hYQT+xFzc3cLXCwbDGB0P2IfG 3dq2Wim+LSzLJyAuxaatUD8oprm+gOEEdu9m0nC2UzECGc9z0XJQi01/isIqVLWP40WapJoj /UnDjrohhayqgzqELtE8UIrkBNIbMS3LKFhLLme47oGuV7U3V+vGNDJdOc4oro95bYyEgSq3 Wkn6wJG9Tg+8b87S2aWHJWNpjTgpCnB5B5WznfmeKZn5NZF9eJbUnkZKIuqvLXHzJCdp/FfS LaPzUsPIzeNqnZ6d/IfWwzq/ZbbxsW9ppII7Rn3rh350aCEOCzUzZ0NVmW/15eFFWRNrwSlz zFd97eohcFtsElYXoZmIdY7ax4/iWwmnfLlE85ueusABEQ5iL218khJUvUBdLpWnVQPk8zNV R6RoZAU7Kz3k3n6nbDWu0W0PWS1f5rwwA+N61ys1sl4wVix9VJ/zjxuq8kf0FrUmyuWOH+bO DBIOUAS9xmhEjSbr2t+SLPIIIacLwYvmWxX+cCukvAB4kkXHeoM6yazC816xmYxgbYkDABEB AAHCwWUEGAEIAA8CGwwFAl1svsMFCQsYQ50ACgkQTDAzT5PCI3F7vQ//eWE40BWkSKtxxmuV Q4ammFQIg3zu36VLjl+UGcWe8+sU4SwlgaQqwsW9uW3Q5qQhZUn/tMIm55gmUG8B+xfw+bWb l8PE6HF/4xemeAE+zeDlZCLHHKMdTMbHPBn5bW4Nqk7ZU2gHruXuPFQdZbgbKLqw5oRhSsA/ w2QyrpE5CzA3n+UQ8hGPcXjQ84C69mPiGVDAOScC5mxS5AAllFRy36QvJCFIIfxoZT9fbE2E J2huDIi6KWhZ2AHBKpMVtnLzkbid7EvJpx+ba6JGWZgzpTh0fnFBieyGpXbVWLD38kFzO68z Ob0t2It07M46bGj0SgYZ9NfXb+Y6etdDNqf49iASuTWnPajlR6EqXL+I+E9H3rGdLr9g3LBy MMlDRK+y+bvpZm5U0C3yneYHGZd6CxlGv9sTOLKhkEVtH6yGuQYGozZEp5f7rBR5E8sEDYVi hoRg102BOKFiLfkqMxrQVKiXwQ1zHEFYCtQK8GTN1u9J19y2PyXhSAWj9Kvo5B+SiLo4dru1 KorT39UxI3uoZ09uHEDPog+sbmda3aPpciw2b/GsgKy1jUjQIrGYIUDFtLmPdid+oeEXwiOn Vh1peikWIY3br2aDr0Nn5O0WiRWCnOi0p9CJzBv5HT5JFsK9dnP4LfdsF7kQcL6mHrhyvLdx TeBHZp8GTtWjBiR+Phk= Message-ID: Date: Fri, 3 Jan 2020 22:32:23 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7r89WJGCowtN9wGoZfnvD3pcWpM0MxmaT" X-Provags-ID: V03:K1:R6MswymHD9ZbJkesWoE/j7fBTLdGRy1P2QVxowSx0dOtAPa+S5j Wb4RVEWOwqeZu5vFGGIbVWHy6msfSPxoQFkJIr1KhjQziZN/xUNEhWK5JjW7UjboxS3Fy4E XavJqzrEpoM0gS6Wk1SAaiWj+G4SEEbKuEr/Re8V76JKhtBmWei/nqqCIkYOY4Yckx0lTtQ MXLv2YrjAIvwE6xewa1JQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:LtBFXz7DcgE=:WK3G0FtUBOqLuTD9C8iaRB HuHYqhqbE00DLZTOy9Liod8VeX63IOjCPPzv2W2Ypun+iLaoeEh5t3W1i7dw0lqWkJrKvLtYu JY9jxF00EncHyYMCVujjesTF4iApL5i4XI/q4BlIWNYiWp9zVDJgyDByG3jteTIYdHiiQvZ9X X0/x1jnbvhi2EjNS3YYCdxc9K7L5xNZdk2zHsu6zFmkDuV1Q4r7yG0JmmSd4TgcxbeBsnRmYC YJCqr2L8XOjINc2wz3XeYzTNpDG88pEHhXkcib/mRk9ZXrIkDph9Fi7ayyjHrXbnfLd7Br3M7 Cv2L6SiKhiMAF9TDbHOfQx5qik2zAiDrQyYAZvnO/8c+ipVrlpAjBnUdb3Kv5kJdDQs1L6q/6 aarVJ0MAI4uUA+JsjNSe6cHHIM+EOIXEy8pup/G5n6mW1gtcc6SCYJ9oCrqZrKhGaXnd6hmvB 2USOkqRoHUO9SC0ZssgXwg+Wp1eN2Wwz80+ryymeYK7Lfu1AnWuW1mR+i9tV8ikVngU3zh8HJ 4UMsjLZJvoKUJAVbSCPR4hH2XyobUWjxFCGJZDoSSz9e4LHPwFU7/P3kuwdCmU9zpnA+Gp9Qt FIKGRrLKZh80jDHDIRyif4/+9QJOY+idkmZwqFI8+QslYoNXtgWGBIA7ZTi35B6J/05A5JQrE 2/UbbG/ez1XhzmWCxi7vdHX0KUN/LuVM3J8XrKVZBB33znRGfvNIIkK+i7Y9NPe6bKlHW2HNA ucNN5LqrKc8q3aKwOyF+zJmWt2GDHGTwd76AkSh9WhbLVWvYpZTOQjfSjSKGa20i38SmOC87o LJc2Cp8EykY6iCAM5Y0h7jVQKXSxdJbBq+8d+k+UeRu7kBs1QgF1FB7GVP7MJAFgZfU8/XPfM pkzMjSyenUFb9Pi3GFXg== X-Archives-Salt: 9b76b374-c50d-4299-9a58-81fc26f6ed8f X-Archives-Hash: cfefcb38688b491669927e5f335c1229 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --7r89WJGCowtN9wGoZfnvD3pcWpM0MxmaT Content-Type: multipart/mixed; boundary="D67dUyZlMvfFRhQEBjepsQqQD7hXG3kbS"; protected-headers="v1" From: Michael 'veremitz' Everitt To: gentoo-dev@lists.gentoo.org Message-ID: Subject: Re: [gentoo-dev] Vanilla sources References: <3197490.ugo6OjCCXa@daneel.sf-tec.de> <1794534.0xJHuh4lKC@crazyhorse> <19015309.XG3PSQ8cOu@daneel.sf-tec.de> <5537134e-0412-862d-e105-94c678229b46@gentoo.org> <2dd351b3-0f71-4960-ffde-2f5a99ab161d@gentoo.org> <9b48db99-19dc-617b-c0d4-ffa0216b43be@gentoo.org> In-Reply-To: --D67dUyZlMvfFRhQEBjepsQqQD7hXG3kbS Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-GB On 03/01/20 14:48, Toralf F=C3=B6rster wrote: > On 1/3/20 3:46 PM, Rich Freeman wrote: >> If OpenRC contains a vulnerability wouldn't it make more sense to set >> this as part of OpenRC, > Indeed. > > Furthermore there's a nifty page https://kernsec.org/wiki/index.php/Ker= nel_Self_Protection_Project/Recommended_Settings > which yields for me to this /etc/sysctl.d/local.conf : > > > # Restrict potential illegal access via links > #=20 > fs.protected_hardlinks =3D 1 > fs.protected_symlinks =3D 1=20 > > # > # https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#CON= FIGs > # > > # Try to keep kernel address exposures out of various /proc files (kall= syms, modules, etc). > kernel.kptr_restrict =3D 1 > > # Avoid kernel memory address exposures via dmesg. > kernel.dmesg_restrict =3D 1 > > # Block non-uid-0 profiling (needs distro patch, otherwise this is the = same as "=3D 2") > kernel.perf_event_paranoid =3D 3 > > # Turn off kexec, even if it's built in. > kernel.kexec_load_disabled =3D 1 > > # Avoid non-ancestor ptrace access to running processes and their crede= ntials. > kernel.yama.ptrace_scope =3D 1 > > # Disable User Namespaces, as it opens up a large attack surface to unp= rivileged users. > user.max_user_namespaces =3D 0 > > # Turn off unprivileged eBPF access. > kernel.unprivileged_bpf_disabled =3D 1 > > # Turn on BPF JIT hardening, if the JIT is enabled. > net.core.bpf_jit_harden =3D 2 > > FWIW, there is a move to add further hardening options to the Gentoo-sources kernel - bug 689154, based on the kernsec recommendations.= Further details of proposals, and inspiration, are in the bug. --D67dUyZlMvfFRhQEBjepsQqQD7hXG3kbS-- --7r89WJGCowtN9wGoZfnvD3pcWpM0MxmaT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJeD8D4AAoJEEwwM0+TwiNxUfwP/1/eZwPY0nGgiLwXbMZ9/AzJ xoKDFp0opphOKLBs/ulTCXpPux7pwY4oPjR40P1PE+Put67+N7+NnYbeHzh6sJ3O S26AmtmL8PMLx4zrzDwVfX67EyxTVJG0ekm8R5iry8I9i8aUk9x6f4ANsfJPUOx2 SBcUoZe5ytq4ehWyz3ugg31R56I38CHsJL2dEbXjz1J9RYhKbKP3tBAjOAcmkCuF UZl2vz0Vak3z6l6JZ5WAOHLj+tFgf/zlgAVnMlbwrYq7DrADnuD5Ha5MmbE6o5sh 4WClfwHyHB9LMSIwuPlYhbZRkEFSOBKb5AHMWZyfQgv6UGQxXtONnmHDz7UgoCxs 41EfSRz39YF/9jP1vBqRenxpmno7EcZpvsGh9rxauZmLINfGlynJz9gaOUiYZ2vP ALKdyQxy+FDTG0DI7+BBuEPGG38zbP89hf9Vr9JrOI7Ija0+Rdp/Vs8IywQdfim9 OmMrfA48ltYLrA5dL46i/OnhBLfB3FznmlPXjoR0EUTG3TeGRZzU86Pnhrwkf8BU NEYEDgQSdTExmRa13PW8BppvVeGMjpkFTgrTYjJbertCOa6V2972+EugsgqtVOTq xksGu9EMycRQk7yDc1AcIuaByJQmxcWSn0+wgfsnjvPRV21YnrF3uTUl4aA08Z7K /ESIshUGJOMPk2V8vUcn =0fhD -----END PGP SIGNATURE----- --7r89WJGCowtN9wGoZfnvD3pcWpM0MxmaT--