ampel/blog
2
0
Fork 0
Code Issues Pull requests Activity

docs/posts/03-security-improvements.md: update

Browse source 
Added Void Linux compatibility.
This commit is contained in:
Luc Bijl 2025-08-28 21:48:03 +02:00
parent b5e73a228d
commit dfd09dbcb6
1 changed files with 94 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

80
docs/posts/03-security-improvements.md
View file

@ -9,6 +9,7 @@ authors:
tags:
- Alpine Linux
- Gentoo Linux
- Void Linux
categories:
- Security
---
@ -23,10 +24,25 @@ Linux Security Modules (LSM) is a framework that allows the implementation of va
These security modules may be enabled by adding them to the kernel `cmdline`:
=== "Alpine Linux"
``` shell title="/etc/kernel-hooks.d/secureboot.conf"
cmdline="... lsm=landlock,lockdown,yama,integrity ..."
```
=== "Gentoo Linux"
``` shell title="/etc/kernel/cmdline"
... lsm=landlock,lockdown,yama,integrity ...
```
=== "Void Linux"
``` shell title="/etc/dracut.conf.d/cmdline.conf"
kernel_cmdline="... lsm=landlock,lockdown,yama,integrity ..."
```
### Landlock
Landlock (`landlock`) is an access-control system that enables any processes to securely restrict themselves and their future children, i.e. sandboxing.
@ -69,6 +85,12 @@ AppArmor is a security module that provides a simpler alternative to SELinux. It
sh# apk add apparmor apparmor-utils apparmor-profiles
```
and add it to the boot runlevel:
``` shell-session
sh# rc-update add apparmor boot
```
=== "Gentoo Linux"
``` shell-session
@ -81,12 +103,38 @@ and add it to the boot runlevel:
sh# rc-update add apparmor boot
```
=== "Void Linux"
``` shell-session
sh# xbps-install apparmor apparmor-utils apparmor-profiles
```
and add the service:
``` shell-session
sh# ln -s /etc/sv/apparmor /var/service
```
Add `apparmor` to the kernel `cmdline` to make it operational:
=== "Alpine Linux"
``` shell title="/etc/kernel-hooks.d/secureboot.conf"
cmdline="... lsm=...,apparmor apparmor=1 ..."
```
=== "Gentoo Linux"
``` shell title="/etc/kernel/cmdline"
... lsm=...,apparmor apparmor=1 ...
```
=== "Void Linux"
``` shell title="/etc/dracut.conf.d/cmdline.conf"
kernel_cmdline="... lsm=...,apparmor apparmor=1 ..."
```
Then reconfigure the `kernel`:
=== "Alpine Linux"
@ -101,6 +149,12 @@ Then reconfigure the `kernel`:
sh# emerge --config gentoo-kernel
```
=== "Void Linux"
``` shell-session
sh# xbps-reconfigure -f linux<version>
```
You can check the status of `apparmor` with `apparmor-utils`:
``` shell-session
@ -111,10 +165,24 @@ sh# aa-status
Boot parameters configure the bootloader to parse the relevant settings to the kernel at boot. Hardening the boot process will improve the overall security of the system. The listed boot parameters in this chapter can be parsed into the kernel `cmdline`:
=== "Alpine Linux"
``` shell title="/etc/kernel-hooks.d/secureboot.conf"
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ..."
```
=== "Gentoo Linux"
``` shell title="/etc/kernel/cmdline"
... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ...
```
=== "Void Linux"
``` shell title="/etc/dracut.conf.d/cmdline.conf"
kernel_cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on ..."
```
### Mitigations of system vulnerabilities
* The setting `slab_nomerge` disables [slab merging](https://en.wikipedia.org/wiki/Slab_allocation) which helps to protect against heap exploitation.
@ -275,6 +343,12 @@ The default memory allocator of `musl` is already reasonably secure but not as s
sh# emerge -a hardened-malloc
```
=== "Void Linux"
``` shell-session
sh# xbps-install hardened-malloc
```
and set it to system-wide edit:
``` shell title="/etc/ld-musl-x86_64.path"
@ -308,6 +382,12 @@ Improve the security of the system by increasing the entropy with the `jitterent
sh# emerge -a jitterentropy
```
=== "Void Linux"
``` shell-session
sh# xbps-install jitterentropy
```
and make sure that the module gets loaded:
``` shell title="/etc/modules-load.d/entropy.conf"