Bug 12361 (KERNSEC)

Summary: Umbrella bug for hardening kernel and sysctls in detail
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Peter Müller <peter.mueller>
Status: ASSIGNED --- QA Contact: Arne.F <arne.fitzenreiter>
Severity: Security    
Priority: Will affect all users CC: arne.fitzenreiter, michael.tremer
Version: 2Keywords: Security, Umbrella
Hardware: all   
OS: All   
Bug Depends on: 12375, 12362, 12363, 12364, 12365, 12366, 12367, 12368, 12369, 12370, 12371, 12372, 12373, 12374, 12376, 12377, 12378, 12379, 12380, 12381, 12382, 12383, 12384, 12430, 12431, 12432, 12433, 12434    
Bug Blocks:    

Description Peter Müller 2020-04-14 15:10:28 UTC 
This is an umbrella bug for discussing/changing each kernel setting and some sysctls with security impact. Since those most likely need to be discussed one by one, opening up an umbrella issue for this makes sense to me.
Comment 1 Michael Tremer 2020-06-10 08:32:48 UTC 
I would like to propose postponing to merge all these patches:

1) They are all mostly untested, especially on the more fragile architectures, and we have no idea what the problems will be. We are *days* before a new kernel scheduled to be released and I do not feel comfortable with merging some of them without *months* of testing.

2) I do not want to delay Core Update 146. We already have a massive amount of patches on the list that need to be reviewed, tested and released. Core Update 146 cannot have them because we wanted a kernel-only release that was small and therefore easy to test and quick to release.

3) We have as of today received another bunch of hardware vulnerabilities on Intel processors. The mitigations for those should be released ASAP.

Anyone in favour? Objections?
Comment 2 Peter Müller 2020-06-10 09:10:10 UTC 
Ultimately, I agree. Indeed, especially the patches and patchsets handed in
yesterday evening are untested, as I wanted to send them to the list before
being unavailable for some time, so we could ship at least some of them in
Core Update 146.

As of yesterday evening, it is very unlikely that this will be possible without
delaying Core Update 146 too much. I have totally underestimated the complexity
and effort required for this topic. Nevertheless, I seems to be most important
to me.

If I may suggest something: Let's pack as many patches into Core Update 146
as possible, if this can be done within the next days and is unlikely to break
anything. We will have to ship Kernels later either way, and can include the
rest of those hardening patches then - if needed, one at a time.

As they say: "Good security is expensive. Bad security is unaffordable." :-)