From 09ce61e27db83180993e8b1a7f511af62374383c Mon Sep 17 00:00:00 2001 From: Jingzi Meng Date: Fri, 5 Jan 2024 14:20:07 +0800 Subject: cap_syslog: remove CAP_SYS_ADMIN when dmesg_restrict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CAP_SYSLOG was separated from CAP_SYS_ADMIN and introduced in Linux 2.6.37 (2010-11). For a long time, certain syslog actions required CAP_SYS_ADMIN or CAP_SYSLOG. Maybe it’s time to officially remove CAP_SYS_ADMIN for more fine-grained control. CAP_SYS_ADMIN was once removed but added back for backwards compatibility reasons. In commit 38ef4c2e437d ("syslog: check cap_syslog when dmesg_restrict") (2010-12), CAP_SYS_ADMIN was no longer needed. And in commit ee24aebffb75 ("cap_syslog: accept CAP_SYS_ADMIN for now") (2011-02), it was accepted again. Since then, CAP_SYS_ADMIN has been preserved. Now that almost 13 years have passed, the legacy application may have had enough time to be updated. Signed-off-by: Jingzi Meng Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20240105062007.26965-1-mengjingzi@iie.ac.cn Signed-off-by: Kees Cook --- kernel/printk/printk.c | 11 ----------- 1 file changed, 11 deletions(-) (limited to 'kernel') diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index f2444b581e16..1c6e7dfc4ba7 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -598,17 +598,6 @@ static int check_syslog_permissions(int type, int source) if (syslog_action_restricted(type)) { if (capable(CAP_SYSLOG)) goto ok; - /* - * For historical reasons, accept CAP_SYS_ADMIN too, with - * a warning. - */ - if (capable(CAP_SYS_ADMIN)) { - pr_warn_once("%s (%d): Attempt to access syslog with " - "CAP_SYS_ADMIN but no CAP_SYSLOG " - "(deprecated).\n", - current->comm, task_pid_nr(current)); - goto ok; - } return -EPERM; } ok: -- cgit v1.2.3 From 006eac3fe20f03ea70765cb02a823dbb8737ec00 Mon Sep 17 00:00:00 2001 From: Lukas Bulwahn Date: Thu, 8 Feb 2024 10:10:44 +0100 Subject: hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment Commit 7a628f818499 ("ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL") removes the config UBSAN_SANITIZE_ALL, but one reference to that config is left in the hardening.config fragment. Drop this reference in hardening.config fragment. Note that CONFIG_UBSAN is still enabled in the hardening.config fragment, so the functionality when using this fragment remains the same. Signed-off-by: Lukas Bulwahn Link: https://lore.kernel.org/r/20240208091045.9219-2-lukas.bulwahn@gmail.com Signed-off-by: Kees Cook --- kernel/configs/hardening.config | 1 - 1 file changed, 1 deletion(-) (limited to 'kernel') diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index 95a400f042b1..4dc0cd342ced 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -44,7 +44,6 @@ CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_BOOL # CONFIG_UBSAN_ENUM # CONFIG_UBSAN_ALIGNMENT -CONFIG_UBSAN_SANITIZE_ALL=y # Linked list integrity checking. CONFIG_LIST_HARDENED=y -- cgit v1.2.3 From 7b3133aa4b9eba9cdf3905e3f7c8b6687ff4615b Mon Sep 17 00:00:00 2001 From: Lukas Bulwahn Date: Thu, 8 Feb 2024 10:10:45 +0100 Subject: hardening: drop obsolete DRM_LEGACY from config fragment Commit 94f8f319cbcb ("drm: Remove Kconfig option for legacy support (CONFIG_DRM_LEGACY)") removes the config DRM_LEGACY, but one reference to that config is left in the hardening.config fragment. As there is no drm legacy driver left, we do not need to recommend this attack surface reduction anymore. Drop this reference in hardening.config fragment. Signed-off-by: Lukas Bulwahn Link: https://lore.kernel.org/r/20240208091045.9219-3-lukas.bulwahn@gmail.com Signed-off-by: Kees Cook --- kernel/configs/hardening.config | 3 --- 1 file changed, 3 deletions(-) (limited to 'kernel') diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index 4dc0cd342ced..ed126d7b5e83 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -92,6 +92,3 @@ CONFIG_SYN_COOKIES=y # Attack surface reduction: Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set - -# Attack surface reduction: Use only modesetting video drivers. -# CONFIG_DRM_LEGACY is not set -- cgit v1.2.3 From de2683e7fdac0c33c4c2c115e69dbbbe904a2224 Mon Sep 17 00:00:00 2001 From: Marco Elver Date: Mon, 12 Feb 2024 14:01:09 +0100 Subject: hardening: Enable KFENCE in the hardening config KFENCE is not a security mitigation mechanism (due to sampling), but has the performance characteristics of unintrusive hardening techniques. When used at scale, however, it improves overall security by allowing kernel developers to detect heap memory-safety bugs cheaply. Link: https://lkml.kernel.org/r/79B9A832-B3DE-4229-9D87-748B2CFB7D12@kernel.org Cc: Matthieu Baerts Cc: Jakub Kicinski Signed-off-by: Marco Elver Link: https://lore.kernel.org/r/20240212130116.997627-1-elver@google.com Signed-off-by: Kees Cook --- kernel/configs/hardening.config | 3 +++ 1 file changed, 3 insertions(+) (limited to 'kernel') diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index ed126d7b5e83..7a5bbfc024b7 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -45,6 +45,9 @@ CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_ENUM # CONFIG_UBSAN_ALIGNMENT +# Sampling-based heap out-of-bounds and use-after-free detection. +CONFIG_KFENCE=y + # Linked list integrity checking. CONFIG_LIST_HARDENED=y -- cgit v1.2.3