* Self introduction
@ 2021-09-19 20:44 Tad
0 siblings, 0 replies; 2+ messages in thread
From: Tad @ 2021-09-19 20:44 UTC (permalink / raw)
To: kernel-hardening; +Cc: linux-hardening
Hello!
My name is Tad.
I have a few personal projects for the past five or so years for making
available kernel hardening features to more users.
My main project is DivestOS, which provides more secure images for older/legacy
Android devices.
I harden all device kernels via the following:
* My automatic CVE checker/patcher program [1]. It is able to apply many dozen
to many hundred CVE patches to trees. It is backed by an extensive versioned
list [2] of CVE patches that I origianlly maintained by hand. In the past
year or so I pull in using a scraper I made for the CIP scripts [3].
* My hardenDefconfig function [4], inspired by the KSPP recommendations and
later Popov's kconfig-hardened-check. It simply enables and disables various
options.
* My hardenBootArgs function [5], currently just enables slub_debug=FZP for
devices.
* Some misc tweaks [6], currently for disabling slub/slab merging.
* And lastly some sysctl tweaks [7].
I also maintain another project for providing some extra security to modern
distros, without recompilation.
It is called Brace [8] and compatible with Arch/Fedora/Debian/OpenSUSE.
In the kernel relations, it is mostly just sysctl [9] changes and kernel
commandline [10] changes.
Lastly some background:
Micay inspired me to work on this area back in mid-2015, after he helped me port
his Android PaX patchset to the OnePlus One phone [11].
Sharing for any comments.
Also most of you are likely working on mainline, not ancient kernels, so maybe
you'll find this interesting.
Best regards,
Tad.
[1] https://gitlab.com/divested-mobile/cve_checker
[2] https://gitlab.com/divested-mobile/kernel_patches/-/blob/master/Kernel_CVE_Patch_List.txt
[3] https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec
[4] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Scripts/Common/Functions.sh#L657
[5] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Scripts/Common/Functions.sh#L493
[6] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Scripts/Common/Post.sh#L28
[7] https://gitlab.com/divested-mobile/divestos-build/-/blob/e7dd0af4/Patches/LineageOS-18.1/android_system_core/0001-Harden.patch
[8] https://gitlab.com/divested/brace
[9] https://gitlab.com/divested/brace/-/blob/1e4975c9/brace/usr/lib/sysctl.d/60-restrict.conf
[10] https://gitlab.com/divested/brace/-/blob/1e4975c9/brace/usr/bin/brace-supplemental-changes#L33
[11] https://divestos.org/images/screenshots/CopperheadOS-bacon.png
^ permalink raw reply [flat|nested] 2+ messages in thread
* Self Introduction
@ 2014-01-07 19:57 Ganessh Kumar R P
0 siblings, 0 replies; 2+ messages in thread
From: Ganessh Kumar R P @ 2014-01-07 19:57 UTC (permalink / raw)
To: kernelnewbies
Hello guys,
I have a fair knowledge about kernel after a course on Operating System as
part of my under-grad and hands on in building kernel from source code. I
want to start contributing to small projects. Is anyone needs some
assistance or small work lying around please point it to me.
Any guidance or pointers will be helpful. I will be also active in IRC
channel.
Thanks,
Ganessh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140108/3c2df498/attachment.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-19 20:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-19 20:44 Self introduction Tad
-- strict thread matches above, loose matches on Subject: below --
2014-01-07 19:57 Self Introduction Ganessh Kumar R P
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.