From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9C3D21581F0 for ; Fri, 13 Dec 2024 06:28:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 72E44E096C; Fri, 13 Dec 2024 06:28:39 +0000 (UTC) Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F22F5E07D0 for ; Fri, 13 Dec 2024 06:28:38 +0000 (UTC) Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-72909c459c4so396584b3a.1 for ; Thu, 12 Dec 2024 22:28:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734071318; x=1734676118; darn=lists.gentoo.org; h=content-transfer-encoding:autocrypt:subject:from:cc:to:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=NlR4/M04qYsyrD4zDt/En7jUmnVFnBYubtCAXb91z9E=; b=RGm5vSC2YP6y0XnA7jgEI1jhCOjewTOkQTtxyIpSYZQQrufrGUxQ0DtupZaNb4KbW8 LmOa9L7PFKdI5iu+gtY0IlfyeQ2oxhh2SBuFkHT2QUgX8KtEyd6/Y0t0hmf8Wiwp/vro 27ptSc9LFwi9n8Qo+1X8QDXyL7saIajVoJlpVGkuC4iHF9b2BkcBPs4mrr+X3PVv32au wXxUqyOzgH2s0mj5y9SUZURv7iI3CJbh83GPDtD08LqnpQfJJZP0PPz8W0MkmKB3zVlE jz8SajxNDk+0wC2J4HHN7ku43XnLlcOcspqZvDaTcrxV0ssI3LwtQm/WlELf5dLuCBjz cLCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734071318; x=1734676118; h=content-transfer-encoding:autocrypt:subject:from:cc:to:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=NlR4/M04qYsyrD4zDt/En7jUmnVFnBYubtCAXb91z9E=; b=LzyuvG1Ulm6RMtnnLRVycfcwYatcx5hNWT25623JXevVrFchSFuQEW2uveAg5se7pf MWhVyKIF2ELIdl0TsMvnooRw5ulYB4P7/R5fCEYv40DfaTxWIa6fgogk46MYyFQersCP wLVcmNoSrDjXMV0B3f2AVtdLcn10HR69g6RHHcdfIc/N8LLhybUd4egXyjI1CQNHtt+M fE2w8MPJGRxLiMcqg3pyc57xIdxQCqSYOzcrvseFimWI3BcdHAmLK4aRmDdSWKxM59Y3 Pb4zgAjBQlbvsnGqCWATdIWnVPD14bTXHh9eso8QGKclatd8Iu8uPfJt/Ue+EkW0Pe7C bzCw== X-Gm-Message-State: AOJu0Yww01jah8RhidrG3tHKdF6/a5LG7lq19GOfo2PnRrPUmdBJQNhC 8a9obeaF9Fj6CNzj0SD5anwufijh3jSQXDdmpu7vvBikdDLEEj/lSf1jo+uFK2k= X-Gm-Gg: ASbGncvlTIUP88iOowxY9JC4BDW10YUpXhSovD7n7cJKns/Fh7H6gV616WySTlEGtQz AxdlAY79/59FXWr4faXbOJFdD8EGAgD5V27PGqqxhoZngFGnw8n4RGzj2kYz/O3pQCyIrCZeCVG OMmz1aeUARFgJCYNEFhqoRHS0ViBY4m4+6pnqIAKKvKBZuowiha1vSy+IsPviueqYyjsQuMOdpF rpVYxmh9Qb5m1L1pOcSMTZoQoRBJM28WjUwGSE8D/6Esvsvqi57xGZ2yBmSWOFqDxSUDm/6alMV lHbWqwZ1TdggpDoEMTxQVtSurBn0abber3Yw X-Google-Smtp-Source: AGHT+IG9fFR5hyAFSmRSkCH53WkjM9DmaFuX9+utXi0cN9IxmjgWO1auUorMyEaAm6cERTewetBAgg== X-Received: by 2002:a05:6a20:72a2:b0:1e1:b44f:cff1 with SMTP id adf61e73a8af0-1e1dfe111ccmr1642694637.33.1734071317628; Thu, 12 Dec 2024 22:28:37 -0800 (PST) Received: from ?IPV6:2001:250:4000:5114:406a:fe57:5371:21be? ([2001:250:4000:5114:406a:fe57:5371:21be]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-725e77d9786sm8911801b3a.37.2024.12.12.22.28.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Dec 2024 22:28:37 -0800 (PST) Message-ID: <80a9704a-78eb-4db4-bf53-736170b13e46@gmail.com> Date: Fri, 13 Dec 2024 14:28:34 +0800 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: gentoo-dev@lists.gentoo.org Cc: dzm91@hust.edu.cn, dddddd@hust.edu.cn From: Yinhao Hu Subject: [gentoo-dev] Request For Insights On Kernel Security Hardening Practices In Gentoo Autocrypt: addr=huyinhaodd@gmail.com; keydata= xjMEZrGXEhYJKwYBBAHaRw8BAQdAvNmwlbNKaQo1FH816R/FV4Nvll8pgDFZn6EM8k2c86rN IFlpbmhhbyBIdSA8aHV5aW5oYW9kZEBnbWFpbC5jb20+wo8EExYIADcWIQRv4sQ1OvtMljwq p/cQg+nzXd46DQUCZrGXEgUJBaOagAIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEBCD6fNd3joN 7dcA/20ab1y+beryDAyyY/PxWoTkXrCnR0+eREfiGDTzy4nlAQCc5GCx7EJZNi5PttIJgkyY 0dJKtLm/5eZSSWlGWOYvBM44BGaxlxISCisGAQQBl1UBBQEBB0BWAIyBeiDF1JjM7aj8mXwq IS53hfY1SLIY1qmwVeMKTgMBCAfCfgQYFggAJhYhBG/ixDU6+0yWPCqn9xCD6fNd3joNBQJm sZcSBQkFo5qAAhsMAAoJEBCD6fNd3joNbqcA/1R4KDKRhJ9ewaDoeTIrkd9BsBnG3lbZRLhD K5cdW6YIAQCOCuwfpd1Pk6gtH2W0XovaTYBNzL50ru2SrnnRf3neDA== Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 078e2dc0-fe42-4a06-8cd6-95ddc9478d6e X-Archives-Hash: 6042d619317b870309e00eefd0ef1f8e Dear All, We are academic researchers from Huazhong University of Science and Technology, China. To foster a healthier Linux kernel community and enhance the overall security of Linux distributions, we are conducting a study on kernel security hardening deployments across various Linux distributions. In our research, we analyzed kernel config files and the /proc filesystem by installing and running multiple distribution ISO images. This allowed us to enumerate the default deployment of kernel defense mechanisms at runtime. So far, we have cataloged over 50 kernel security hardening features and documented inconsistencies in their deployment across different distributions. The results of our analysis are accessible via the following link: https://docs.google.com/spreadsheets/d/17QRr04pqK1K4-VoHXW2-9KgPd4uV8Q4I-NNkV9CN8nM/edit?usp=sharing. Given Gentoo's reputation for exceptional performance and rich features, we conducted a detailed investigation into its kernel security hardening strategies. To further deepen our understanding, we would greatly appreciate your input on the following questions: 1. Effectiveness of Kernel Security Hardening 1.1 Do you consider deploying kernel security hardening features to be an effective strategy for ensuring operating system security? 2. Configuration Strategy for Default Kernel Security Hardening Options 2.1 What are the primary criteria for selecting kernel security hardening options in your distribution? 2.2 How are configurable security hardening features (e.g., unprivileged_bpf_disabled) typically set (e.g., 0, 1, or 2), and what are the main considerations involved? 2.3 How do you balance the trade-off between side-effects (e.g., performance overhead) and the enhanced security introduced by kernel security hardening? 2.4 Does the tolerance for performance overhead vary across different application scenarios? 2.5 Are there other negative factors, such as compatibility issues, that are considered when enabling security hardening features? 3. Customized Configurations 3.1 Do you provide different kernel security hardening configurations tailored to specific user groups? 4. Best Practices and Recommendations 4.1 Are there any best practices or recommendations you can share regarding kernel security hardening? 4.2 Are there relevant documents or materials available for reference? The purpose of these questions is to gain a deeper understanding of your security protection strategies. Your insights would be immensely valuable to our study. Thank you for taking the time to review our questions. We look forward to your response. Best regards, Yinhao Hu, PhD candidate huyinhaodd@gmail.com Huazhong University of Science and Technology