ampel/blog
2
0
Fork 0
Code Issues Pull requests Activity

docs/posts/03-security-improvements.md: update

Browse source 
Added Void Linux compatibility.
This commit is contained in:
Luc Bijl 2025-08-28 21:48:03 +02:00
parent b5e73a228d
commit dfd09dbcb6
1 changed files with 94 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

108
docs/posts/03-security-improvements.md
View file

@ -9,6 +9,7 @@ authors:
tags: tags:
- Alpine Linux - Alpine Linux
- Gentoo Linux - Gentoo Linux
- Void Linux
categories: categories:
- Security - Security
--- ---
@ -23,9 +24,24 @@ Linux Security Modules (LSM) is a framework that allows the implementation of va
These security modules may be enabled by adding them to the kernel `cmdline`: These security modules may be enabled by adding them to the kernel `cmdline`:
``` shell title="/etc/kernel/cmdline" === "Alpine Linux"
... lsm=landlock,lockdown,yama,integrity ...
``` ``` shell title="/etc/kernel-hooks.d/secureboot.conf"
cmdline="... lsm=landlock,lockdown,yama,integrity ..."
```
=== "Gentoo Linux"
``` shell title="/etc/kernel/cmdline"
... lsm=landlock,lockdown,yama,integrity ...
```
=== "Void Linux"
``` shell title="/etc/dracut.conf.d/cmdline.conf"
kernel_cmdline="... lsm=landlock,lockdown,yama,integrity ..."
```
### Landlock ### Landlock
@ -69,23 +85,55 @@ AppArmor is a security module that provides a simpler alternative to SELinux. It
sh# apk add apparmor apparmor-utils apparmor-profiles sh# apk add apparmor apparmor-utils apparmor-profiles
``` ```
and add it to the boot runlevel:
``` shell-session
sh# rc-update add apparmor boot
```
=== "Gentoo Linux" === "Gentoo Linux"
``` shell-session ``` shell-session
sh# emerge -a apparmor apparmor-utils apparmor-profiles sh# emerge -a apparmor apparmor-utils apparmor-profiles
``` ```
and add it to the boot runlevel:
and add it to the boot runlevel: ``` shell-session
sh# rc-update add apparmor boot
```
``` shell-session === "Void Linux"
sh# rc-update add apparmor boot
``` ``` shell-session
sh# xbps-install apparmor apparmor-utils apparmor-profiles
```
and add the service:
``` shell-session
sh# ln -s /etc/sv/apparmor /var/service
```
Add `apparmor` to the kernel `cmdline` to make it operational: Add `apparmor` to the kernel `cmdline` to make it operational:
``` shell title="/etc/kernel/cmdline" === "Alpine Linux"
... lsm=...,apparmor apparmor=1 ...
``` ``` shell title="/etc/kernel-hooks.d/secureboot.conf"
cmdline="... lsm=...,apparmor apparmor=1 ..."
```
=== "Gentoo Linux"
``` shell title="/etc/kernel/cmdline"
... lsm=...,apparmor apparmor=1 ...
```
=== "Void Linux"
``` shell title="/etc/dracut.conf.d/cmdline.conf"
kernel_cmdline="... lsm=...,apparmor apparmor=1 ..."
```
Then reconfigure the `kernel`: Then reconfigure the `kernel`:
@ -101,6 +149,12 @@ Then reconfigure the `kernel`:
sh# emerge --config gentoo-kernel sh# emerge --config gentoo-kernel
``` ```
=== "Void Linux"
``` shell-session
sh# xbps-reconfigure -f linux<version>
```
You can check the status of `apparmor` with `apparmor-utils`: You can check the status of `apparmor` with `apparmor-utils`:
``` shell-session ``` shell-session
@ -111,9 +165,23 @@ sh# aa-status
Boot parameters configure the bootloader to parse the relevant settings to the kernel at boot. Hardening the boot process will improve the overall security of the system. The listed boot parameters in this chapter can be parsed into the kernel `cmdline`: Boot parameters configure the bootloader to parse the relevant settings to the kernel at boot. Hardening the boot process will improve the overall security of the system. The listed boot parameters in this chapter can be parsed into the kernel `cmdline`:
``` shell title="/etc/kernel/cmdline" === "Alpine Linux"
... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ...
``` ``` shell title="/etc/kernel-hooks.d/secureboot.conf"
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ..."
```
=== "Gentoo Linux"
``` shell title="/etc/kernel/cmdline"
... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ...
```
=== "Void Linux"
``` shell title="/etc/dracut.conf.d/cmdline.conf"
kernel_cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ..."
```
### Mitigations of system vulnerabilities ### Mitigations of system vulnerabilities
@ -275,6 +343,12 @@ The default memory allocator of `musl` is already reasonably secure but not as s
sh# emerge -a hardened-malloc sh# emerge -a hardened-malloc
``` ```
=== "Void Linux"
``` shell-session
sh# xbps-install hardened-malloc
```
and set it to system-wide edit: and set it to system-wide edit:
``` shell title="/etc/ld-musl-x86_64.path" ``` shell title="/etc/ld-musl-x86_64.path"
@ -308,8 +382,14 @@ Improve the security of the system by increasing the entropy with the `jitterent
sh# emerge -a jitterentropy sh# emerge -a jitterentropy
``` ```
=== "Void Linux"
``` shell-session
sh# xbps-install jitterentropy
```
and make sure that the module gets loaded: and make sure that the module gets loaded:
``` shell title="/etc/modules-load.d/entropy.conf" ``` shell title="/etc/modules-load.d/entropy.conf"
jitterentropy_rng jitterentropy_rng
``` ```