security practices: update for 2.0

Update with hardening for 2.0, including sysctls and YP/OE configuration. Some formatting updates in other places. Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>

security practices: update for 2.0
Update with hardening for 2.0, including sysctls and YP/OE configuration. Some formatting updates in other places. Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>
cbeae9f9 · Marta Rybczynska · Andrei Gherzan · f0dba6b0 · cbeae9f9
Commit cbeae9f9 authored 2 years ago by Marta Rybczynska Committed by Andrei Gherzan 2 years ago
--- a/security/guide.rst
+++ b/security/guide.rst
@@ -25,7 +25,7 @@ thus increasing software quality in general.

 Hardening and security options `may` have performance costs (e.g. due to
 additional checks in the code path). Oniro attempts to assure that security
-hardening features do not increase overhead more than %5, in general.
+hardening features do not increase overhead more than 5 percent, in general.

 On the other hand, additional tests come with an additional computing costs
 and may reduce performance. The hardening options suggested are checked against
@@ -51,6 +51,7 @@ leaking data freed from memory, and accessing wrong memory zones.
 Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator.cfg``
 and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg``.

+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
@@ -62,6 +63,7 @@ and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.
 | CONFIG_PAGE_POISONING_ZERO      | On          |
 | CONFIG_INIT_ON_ALLOC_DEFAULT_ON | On          |
 +---------------------------------+-------------+
+```

 **CONFIG_SLAB_FREELIST_RANDOM=y**

@@ -148,6 +150,7 @@ Reducing Attack Surface
 The following options remove some obsolete or un-needed features, which could
 make attacks easier:

+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
@@ -155,6 +158,7 @@ make attacks easier:
 | CONFIG_PROC_KCORE               | Off         |
 | CONFIG_BINFMT_MISC              | Off         |
 +---------------------------------+-------------+
+```

 **Option: CONFIG_COMPAT_BRK is not set**

@@ -194,13 +198,15 @@ automatically feed it to the correct interpreter.
 Dmesg Options
 ^^^^^^^^^^^^^

-Those options are related to the kernel log in dmesg:
+Those options are related to the kernel log in ``dmesg``:

+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
 | CONFIG_SECURITY_DMESG_RESTRICT  | On          |
 +---------------------------------+-------------+
+```

 Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_dmesg.cfg``

@@ -219,11 +225,13 @@ Compiler-level Hardening

 Those options enable checks done by the compiler:

+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
 | CONFIG_FORTIFY_SOURCE           | On          |
 +---------------------------------+-------------+
+```

 Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg``.

@@ -241,12 +249,14 @@ Memory Accesses
 With those options we disable the complete physical memory access and detect
 unsafe memory permissions:

+```
 +-------------------------------+-------------+
 | Config option                 | Oniro state |
 +===============================+=============+
 | CONFIG_DEBUG_WX               | On          |
 | CONFIG_DEVMEM                 | Off         |
 +-------------------------------+-------------+
+```

 Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_memory.cfg``.

@@ -286,12 +296,14 @@ Copying from Userspace
 Those options add verification when copying potentially malicious data from
 the user space:

+```
 +-----------------------------------+-------------+
 | Config option                     | Oniro state |
 +===================================+=============+
 | CONFIG_HARDENED_USERCOPY          | On          |
 | CONFIG_HARDENED_USERCOPY_FALLBACK | Off         |
 +-----------------------------------+-------------+
+```

 File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_usercopy.cfg``.

@@ -333,6 +345,7 @@ Data Validation

 With those options we add verification of the internal kernel data structures:

+```
 +---------------------------------+-------------+
 | Config option                   | Oniro state |
 +=================================+=============+
@@ -342,6 +355,7 @@ With those options we add verification of the internal kernel data structures:
 | CONFIG_BUG_ON_DATA_CORRUPTION   | On          |
 | CONFIG_SCHED_STACK_END_CHECK    | On          |
 +---------------------------------+-------------+
+```

 File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg``.

@@ -426,6 +440,7 @@ IOMMU is not enabled yet.
 *File:* Source file: ``hardening_fortify_source.cfg``

 KSPP [2]_ recomends setting up the following:
+
 ```
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
@@ -442,11 +457,62 @@ file to the kernel configuration if it is safe in your product.
 Module Signing
 ^^^^^^^^^^^^^^

-Module signing is not enabled yet, we need the key infrastructure set up.
+Module signing is not enabled yet, we do include the needed tools.
+
+Sysctls
+*******
+
+`sysctl` is used to modify kernel parameters at runtime. |main_project_name|
+to set up a number of hardening options.
+
+*Recommendation source:* KSPP [2]_
+
+General options
+^^^^^^^^^^^^^^^
+
+|main_project_name| limits the visibility in kernel addresses in ``/proc``
+files, disabled profiling for non-root users and disabled ``kexec``.
+
+User namespaces are enabled only in case of ``podman`` configured in ``rootless``
+mode.
+
+Options affected: ``kernel.kptr_restrict``, ``kernel.perf_event_paranoid``,
+``kernel.kexec_load_disabled``, ``kernel.yama.ptrace_scope``, and
+``user.max_user_namespaces``.
+
+BPF
+^^^
+
+|main_project_name| DISABLES unprivileged BPF and enabled JIT hardening,
+if put in place.
+
+Options affected: ``kernel.unprivileged_bpf_disabled`` and ``net.core.bpf_jit_harden``.
+
+Networking
+^^^^^^^^^^
+
+|main_project_name| disabled ICMP redirects, rejects packets with the
+source route option (SRR) and logs impossible addresses.
+
+Options affected: ``net.ipv4.conf.all.rp_filter``,
+``net.ipv4.conf.default.accept_redirects``,
+``net.ipv4.conf.all.send_redirects``,
+``net.ipv4.conf.default.accept_source_route``,
+``net.ipv4.conf.default.log_martians``,
+``net.ipv6.conf.all.accept_redirects``, and
+``net.ipv6.conf.default.accept_redirects``.
+
+Yocto Project/OpenEmbedded Configuration
+****************************************
+
+The current version of |main_project_name| disables `debug-tweaks` by default
+in production images. It means, among other things, that the `root` login
+is disabled. Instead, a log in with `oniro` user is available. See the
+:ref:`Debug mode documentation <DebugMode>` for more details.


 Known Issues
-^^^^^^^^^^^^
+************

 None.