Page MenuHomePhabricator

Activating Lockdown
Open, NormalPublic


Consider activating "Lockdown" a mainlined patch that does some hardening measures that including some grsec formerly did. Package currently available only in Sid.

What it does:

  • disables loading/removing kernel modules after boot
  • disables live kernel patching (kexec)
  • disables Berkeley packet filter (BPF)

    (*) No unsigned modules and no modules for which can’t validate the signature.

    (*) No use of ioperm(), iopl() and no writing to /dev/port.

    (*) No writing to /dev/mem or /dev/kmem.

    (*) No hibernation.

    (*) Restrict PCI BAR access.

    (*) Restrict MSR access.

    (*) No kexec_load().

    (*) Certain ACPI restrictions.

    (*) Restrict debugfs interface to ASUS WMI.

While idsabling modules might interfere with non buil-in devices, they can be whitelisted on demand or an extended timeout specified so the needed components are loaded during boot.



Event Timeline

HulaHoop created this task.May 3 2017, 7:09 PM
HulaHoop updated the task description. (Show Details)May 3 2017, 7:11 PM
Patrick added a subscriber: marmarek.

Likely part of 5.2. We won't see it until the version after Buster unless we use backports.

This looks like focused on kernel protection from attacker having full user (or even root) access already. Something very desirable on server/multi user systems, but not so much meaningful in a single-user AppVM.
Also, disabling modules loading at all may break attaching devices (block, usb etc).
Other than modules loading, it shouldn't harm, though.

Patrick updated the task description. (Show Details)May 3 2019, 6:41 AM

Could you test this please by installing in VM and/or host please? @madaidan

I can test it but I doubt lockdown will help at all.

Copy/paste from what I said on the forums:

I’ve looked at the lockdown code and all it does is change 3 sysctl settings, two of which we already use (in security-misc) and the third one just prevents modules from being loaded after boot which isn’t that much of a security gain.

Either, I’m missing something massive or lockdown is mostly useless for us.