hardened-config: enable the SafeSetID LSM
The purpose of this LSM is to allow processes to drop to a less privileged user id without having to grant them full CAP_SETUID (or use file caps). The LSM allows configuring a whitelist policy of permitted from:to uid transitions. The policy is enforced upon calls to setuid(2) and related syscalls. Policies are configured through securityfs by writing to - safesetid/add_whitelist_policy ; and - safesetid/flush_whitelist_policies A process attempting a transition not permitted by current policy is killed (to avoid accidentally running with higher privileges than intended). A uid that has a configured policy is prevented from obtaining auxiliary setuid privileges (e.g., setting up user namespaces). See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
This commit is contained in:
parent
7085da0cef
commit
87bc514620
@ -91,6 +91,9 @@ optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") {
|
||||
PAGE_POISONING_NO_SANITY = yes;
|
||||
PAGE_POISONING_ZERO = yes;
|
||||
|
||||
# Enable the SafeSetId LSM
|
||||
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
|
||||
|
||||
# Reboot devices immediately if kernel experiences an Oops.
|
||||
PANIC_ON_OOPS = yes;
|
||||
PANIC_TIMEOUT = freeform "-1";
|
||||
|
Loading…
x
Reference in New Issue
Block a user