Update various docs #344
Update various docs #344
Conversation
The ordering was changed due to different merge times.
ArrayBolt3
left a comment
ArrayBolt3
left a comment
There was a problem hiding this comment.
Looks good for the most part, just a few things need fixed up IMO.
| etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop | ||
| etc/bluetooth/30_security-misc.conf#security-misc-desktop => /etc/bluetooth/30_security-misc.conf | ||
| etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop |
There was a problem hiding this comment.
Can we revert the changes to this and the other install file? These don't really have to be sorted, and once ArrayBolt3/genmkfile@31d3171 gets merged these files will automatically get sorted when needed.
| ## Restrict processes from modifying their own memory mappings. | ||
| ## Prevents using /proc/PID/mem to write to protected pages unless via ptrace() for debugging. | ||
| ## Increases the difficulty in tricking applications into overwriting their own memory. | ||
| ## Limit self-modification which can be used trigger race condition vulnerabilities. |
There was a problem hiding this comment.
Are these actually race conditions? I looked at a couple of the example bugs here (one Chromium mess that I couldn't make heads or tails of, one involving passing /proc/PID/mem as an stdout fd to su), and I don't think these are race conditions.
| ## KSPP=yes | ||
| ## KSPP sets CONFIG_PANIC_TIMEOUT=-1. | ||
| ## | ||
| ## Note that this must be used with panic=-1 for it to function as intended. |
There was a problem hiding this comment.
This line seems wrong; this config section is setting (or really, illustrating the setting of) panic=-1.
| ## | ||
| ## Note that this must be used with panic=-1 for it to function as intended. | ||
| ## | ||
| ## See /usr/libexec/security-misc/panic-on-oops for implementation. |
There was a problem hiding this comment.
This is no longer accurate due to a change I made previously; kernel.panic=-1 is now set by sysctl itself so that if the user disables panic-on-warn, they don't also end up with the system freezing and exposing internal system details if a panic occurs.
| ## See /usr/libexec/security-misc/panic-on-oops for implementation. | |
| ## See /usr/lib/sysctl.d/990-security-misc.conf for implementation. |
| ## | ||
| ## KSPP=yes | ||
| ## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y. | ||
| ## KSPP sets the second kernel parameter, CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, and CONFIG_UNMAP_KERNEL_AT_EL0=y. |
There was a problem hiding this comment.
Can we name the kernel parameter explicitly? This is slightly confusing otherwise since we have two items in each string that we're assigning.
| ## KSPP sets the second kernel parameter, CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, and CONFIG_UNMAP_KERNEL_AT_EL0=y. | |
| ## KSPP sets "pti=on", CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, and CONFIG_UNMAP_KERNEL_AT_EL0=y. |
| - Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase | ||
| KASLR effectiveness and also mitigate the Meltdown CPU vulnerability. | ||
|
|
There was a problem hiding this comment.
There isn't anywhere else in the README that appears to mention kernel page table isolation, so this shouldn't be removed.
| ## https://docs.kernel.org/admin-guide/sysctl/fs.html | ||
| ## https://docs.kernel.org/admin-guide/sysctl/net.html | ||
| ## https://docs.kernel.org/admin-guide/sysctl/vm.html | ||
| ## https://docs.kernel.org//networking/ip-sysctl.html |
There was a problem hiding this comment.
This issue already existed before the PR, but can we fix the double slash between org and networking here?
2 participants
This pull request improves documentation around several pre-existing areas.
Changes
There are no changes to the functionality of the codebase.
Mandatory Checklist
Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint
Optional Checklist
The following items are optional but might be requested in certain cases.