security practices: update for 2.0

Update with hardening for 2.0, including sysctls and YP/OE configuration. Some formatting updates in other places. Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>

security practices: update for 2.0
Update with hardening for 2.0, including sysctls and YP/OE configuration. Some formatting updates in other places. Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>
c04e19b0 · Marta Rybczynska · f41ba31a · c04e19b0
Commit c04e19b0 authored 2 years ago by Marta Rybczynska
--- a/security/guide.rst
+++ b/security/guide.rst
@@ -25,7 +25,7 @@ thus increasing software quality in general.
 Hardening and security options `may` have performance costs (e.g. due to
 additional checks in the code path). Oniro attempts to assure that security
-hardening features do not increase overhead more than %5, in general.
+hardening features do not increase overhead more than 5 percent, in general.
 On the other hand, additional tests come with an additional computing costs
 and may reduce performance. The hardening options suggested are checked against
@@ -51,6 +51,7 @@ leaking data freed from memory, and accessing wrong memory zones.
 Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator.cfg``
 and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg``.
+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
@@ -62,6 +63,7 @@ and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.
 | CONFIG_PAGE_POISONING_ZERO      | On          |
 | CONFIG_INIT_ON_ALLOC_DEFAULT_ON | On          |
 +---------------------------------+-------------+
+```
 **CONFIG_SLAB_FREELIST_RANDOM=y**
@@ -148,6 +150,7 @@ Reducing Attack Surface
 The following options remove some obsolete or un-needed features, which could
 make attacks easier:
+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
@@ -155,6 +158,7 @@ make attacks easier:
 | CONFIG_PROC_KCORE               | Off         |
 | CONFIG_BINFMT_MISC              | Off         |
 +---------------------------------+-------------+
+```
 **Option: CONFIG_COMPAT_BRK is not set**
@@ -194,13 +198,15 @@ automatically feed it to the correct interpreter.
 Dmesg Options
 ^^^^^^^^^^^^^
-Those options are related to the kernel log in dmesg:
+Those options are related to the kernel log in ``dmesg``:
+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
 | CONFIG_SECURITY_DMESG_RESTRICT  | On          |
 +---------------------------------+-------------+
+```
 Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_dmesg.cfg``
@@ -219,11 +225,13 @@ Compiler-level Hardening
 Those options enable checks done by the compiler:
+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
 | CONFIG_FORTIFY_SOURCE           | On          |
 +---------------------------------+-------------+
+```
 Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg``.
@@ -241,12 +249,14 @@ Memory Accesses
 With those options we disable the complete physical memory access and detect
 unsafe memory permissions:
+```
 +-------------------------------+-------------+
 | Config option                 | Oniro state |
 +===============================+=============+
 | CONFIG_DEBUG_WX               | On          |
 | CONFIG_DEVMEM                 | Off         |
 +-------------------------------+-------------+
+```
 Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_memory.cfg``.
@@ -286,12 +296,14 @@ Copying from Userspace
 Those options add verification when copying potentially malicious data from
 the user space:
+```
 +-----------------------------------+-------------+
 | Config option                     | Oniro state |
 +===================================+=============+
 | CONFIG_HARDENED_USERCOPY          | On          |
 | CONFIG_HARDENED_USERCOPY_FALLBACK | Off         |
 +-----------------------------------+-------------+
+```
 File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_usercopy.cfg``.
@@ -333,6 +345,7 @@ Data Validation
 With those options we add verification of the internal kernel data structures:
+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
@@ -342,6 +355,7 @@ With those options we add verification of the internal kernel data structures:
 | CONFIG_BUG_ON_DATA_CORRUPTION   | On          |
 | CONFIG_SCHED_STACK_END_CHECK    | On          |
 +---------------------------------+-------------+
+```
 File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg``.
@@ -426,6 +440,7 @@ IOMMU is not enabled yet.
 *File:* Source file: ``hardening_fortify_source.cfg``
 KSPP [2]_ recomends setting up the following:
 ```
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
@@ -442,11 +457,58 @@ file to the kernel configuration if it is safe in your product.
 Module Signing
 ^^^^^^^^^^^^^^
-Module signing is not enabled yet, we need the key infrastructure set up.
+Module signing is not enabled yet, we do include the needed tools.
+Sysctls
+*******
+`sysctl` is used to modify kernel parameters at runtime. |main_project_name|
+to set up a number of hardening options.
+*Recommendation source:* KSPP [2]_
+General options
+^^^^^^^^^^^^^^^
+|main_project_name| limits the visibility in kernel addresses in ``/proc``
+files, disabled profiling for non-root users and disabled ``kexec``.
+User namespaces are enabled only in case of ``podman`` configured in ``rootless``
+mode.
+BPF
+^^^
+|main_project_name| DISABLES unprivileged BPF and enabled JIT hardening,
+if put in place.
+Options affected: ``kernel.unprivileged_bpf_disabled`` and ``net.core.bpf_jit_harden``.
+Networking
+^^^^^^^^^^
+|main_project_name| disabled ICMP redirects, rejects packets with the
+source route option (SRR) and logs impossible addresses.
+Options affected: ``net.ipv4.conf.all.rp_filter``,
+``net.ipv4.conf.default.accept_redirects``,
+``net.ipv4.conf.all.send_redirects``,
+``net.ipv4.conf.default.accept_source_route``,
+``net.ipv4.conf.default.log_martians``,
+``net.ipv6.conf.all.accept_redirects``, and
+``net.ipv6.conf.default.accept_redirects``.
+Yocto Project/OpenEmbedded Configuration
+****************************************
+The current version of |main_project_name| disables `debug-tweaks` by default
+in production images. It means, among other things, that the `root` login
+is disabled. Instead, a log in with `oniro` user is available. See the
+`Debug mode` documentation for more details.
 Known Issues
-^^^^^^^^^^^^
+************
 None.