From 04c7571c78e133c2e05efe9a2490188580f3c75a Mon Sep 17 00:00:00 2001
From: Pavel Zhukov <pavel@zhukoff.net>
Date: Mon, 18 Oct 2021 13:19:12 +0200
Subject: [PATCH] oniro-sysctl: Add project specific sysctl parameters

Closes: OSTC/planning/core-os#129
Signed-off-by: Pavel Zhukov <pavel@zhukoff.net>
---
 .../recipes-core/oniro-sysctl/oniro-sysctl.bb | 31 +++++++++++++++++++
 .../oniro-sysctl/oniro-sysctl/oniro-bpf.conf  | 10 ++++++
 .../oniro-sysctl/oniro-general.conf           | 21 +++++++++++++
 .../oniro-sysctl/oniro-net-ipv4.conf          | 16 ++++++++++
 .../oniro-sysctl/oniro-net-ipv6.conf          |  8 +++++
 .../packagegroups/packagegroup-oniro-core.bb  |  1 +
 6 files changed, 87 insertions(+)
 create mode 100644 meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb
 create mode 100644 meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf
 create mode 100644 meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf
 create mode 100644 meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf
 create mode 100644 meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf

diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb
new file mode 100644
index 00000000..fab1522c
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+SUMMARY = "Oniro project specific sysctl settings"
+SECTION = "base"
+DESCTIPTION = "This recipes provides a set of Oniro Project specific settings for the kernel hardening."
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+SRC_URI = 	" 				\
+		file://oniro-bpf.conf 		\
+		file://oniro-general.conf 	\
+		file://oniro-net-ipv4.conf 	\
+		file://oniro-net-ipv6.conf 	\
+		"
+inherit allarch
+
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+	install -d "${D}/${sysconfdir}/sysctl.d"
+	install -m 0644 "${WORKDIR}/oniro-general.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-net-ipv4.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-net-ipv6.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-bpf.conf" "${D}${sysconfdir}/sysctl.d/"
+}
+
+FILES_${PN} += "${sysconfdir}/sysctl.d/oniro-*"
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf
new file mode 100644
index 00000000..ab92b315
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Turn off unprivileged eBPF access.
+kernel.unprivileged_bpf_disabled = 1
+
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf
new file mode 100644
index 00000000..45f71df5
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Try to keep kernel address exposures out of various /proc files 
+# (kallsyms, modules, etc). (There is no CONFIG for the changing the initial value.)
+kernel.kptr_restrict = 2
+
+# Block non-uid-0 profiling (needs distro patch, otherwise this is the same as "= 2")
+# https://lwn.net/Articles/696264/
+kernel.perf_event_paranoid = 3
+
+# Turn off kexec, even if it's built in.
+kernel.kexec_load_disabled = 1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
+# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
+user.max_user_namespaces = 0
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf
new file mode 100644
index 00000000..800dba2c
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf
@@ -0,0 +1,16 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Reverse Path Filtering
+net.ipv4.conf.all.rp_filter = 1
+
+# Do not accept ICMP redirect messages
+net.ipv4.conf.default.accept_redirects = 0
+
+# Do not accept packets with SRR option.
+net.ipv4.conf.default.accept_source_route = 0
+
+# Log packets with impossible addresses to kernel log
+net.ipv4.config.default.log_martians = 1
diff --git a/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf
new file mode 100644
index 00000000..43def55d
--- /dev/null
+++ b/meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Do not accept redirects
+net.ipv6.conf.all.accept_redirects  = 0
+net.ipv6.conf.default.accept_redirects = 0
diff --git a/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb b/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb
index 12961f35..808f5e2f 100644
--- a/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb
+++ b/meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb
@@ -10,4 +10,5 @@ PACKAGES = "packagegroup-oniro-core"
 
 RDEPENDS_packagegroup-oniro-core = "\
 	oniro-mounts \
+	oniro-sysctl \
 	"
-- 
GitLab