Originally posted by tchiwam
View Post
Announcement
Collapse
No announcement yet.
Linux 5.4 Pulls In LOCKDOWN Support For Opt-In Hardware/Kernel Security Restrictions
Collapse
X
-
Originally posted by starshipeleven View PostYeah sure. Just preventing 99% of the tampering is as simple as disabling the kernel module support and unsafe shit like /dev/mem (both are a kernel compile option) and compiling in the kernel all hardware support modules you need.
Originally posted by starshipeleven View PostThen you sign your kernel image and enforce signature checking with the bootloader. Boom. Device is locked down.
Originally posted by starshipeleven View PostNot really.
Originally posted by tildearrow View PostUnrelated question: Is it true that GrSecurity's userbase crumbled into dust after they announced it wasn't going to be free anymore?
Comment
-
Originally posted by tildearrow View Post
Unrelated question: Is it true that GrSecurity's userbase crumbled into dust after they announced it wasn't going to be free anymore?
I kept on using it on outside facing servers but I don't work there anymore.
Comment
-
Originally posted by Marc.2377 View PostThe way I see it, anyone complaining "it hurts my freedom" regarding this patchset doesn't have the slightest clue what the patches are actually about.
The lockdown are hardening against exploitation, rootkits and legit 'malicious actors' (as I've seen them called) - they are not about locking down on end users.
At this point... well, at least we have to be picky about devices.
Comment
-
Originally posted by chithanh View PostDisabling kernel modules is one part of hardening the system, but I dare you find a public root exploit for any existing consumer device that actually uses that path (or /dev/mem).
Under normal circumstances in production system usermode should not do something like that, regardless if it root or not (its fundamentally wrong approach in multitask OS). I only did that for peripheral unsupported by kernel, to try to poke it with stick and see how it works, being dead sure kernel would not interfere with it due to lack of drivers. If someone got legit rights to do all that, they probably shouldn't mind booting "special" kernel as extra safeguard that much. After all e.g. openwrt does protects e.g. boot loader partitions by default. Just to prevent a really nasty "Game Over" scenarios. Those who really want to do exactly that end up building and booting custom kernel. Serves as very good comfirmation they know what they are doing.Last edited by SystemCrasher; 02 October 2019, 03:59 AM.
Comment
Comment