From 56d280da8a03edb3e641d0c7ad835aa04b9ed0e2 Mon Sep 17 00:00:00 2001
From: Dara Adib <daradib@ocf.berkeley.edu>
Date: Thu, 23 Jul 2020 23:14:15 -0400
Subject: [PATCH 1/3] Lock down kernel on buster

Disable some kernel features: module loading after boot, kexec,
Berkeley Packet Filter (BPF).

Also install cloud kernel image on VMs which removes some hardware
support. Benefits: slightly faster boot and reduced attack surface.
---
 modules/ocf/manifests/packages.pp        |  1 +
 modules/ocf/manifests/packages/kernel.pp | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 modules/ocf/manifests/packages/kernel.pp

diff --git a/modules/ocf/manifests/packages.pp b/modules/ocf/manifests/packages.pp
index fa4f3cabb..6dd0604b5 100644
--- a/modules/ocf/manifests/packages.pp
+++ b/modules/ocf/manifests/packages.pp
@@ -11,6 +11,7 @@
   include ocf::packages::git
   include ocf::packages::grub
   include ocf::packages::helm
+  include ocf::packages::kernel
   include ocf::packages::ldapvi
   include ocf::packages::ntp
   include ocf::packages::postfix
diff --git a/modules/ocf/manifests/packages/kernel.pp b/modules/ocf/manifests/packages/kernel.pp
new file mode 100644
index 000000000..322edc411
--- /dev/null
+++ b/modules/ocf/manifests/packages/kernel.pp
@@ -0,0 +1,22 @@
+class ocf::packages::kernel {
+  if $::lsbdistcodename != 'stretch' {
+    # Disable some kernel features: module loading after boot, kexec,
+    # Berkeley Packet Filter (BPF). Not to be confused with the lockdown
+    # security module introduced with Linux 5.4, which imposes similar
+    # restrictions.
+    package { 'lockdown': }
+
+    if $::is_virtual {
+      # Install cloud kernel image which removes some hardware support.
+      # Benefits: slightly faster boot and reduced attack surface.
+      package{ "linux-image-cloud-${::architecture}": }
+
+      # Remove existing kernel meta-package. The actual kernel is its
+      # dependency which should be autoremoved.
+      package{ "linux-image-${::architecture}":
+        ensure  => purged,
+        require => Package["linux-image-cloud-${::architecture}"],
+      }
+    }
+  }
+}

From 83c9ee0f684d29345791251ea59f76248ea138ab Mon Sep 17 00:00:00 2001
From: Dara Adib <daradib@ocf.berkeley.edu>
Date: Tue, 28 Jul 2020 15:53:50 -0400
Subject: [PATCH 2/3] Replace lockdown with hardening-runtime

---
 modules/ocf/manifests/browser_sandbox.pp |  4 ++--
 modules/ocf/manifests/packages/kernel.pp | 26 +++++++++++++++++++-----
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/modules/ocf/manifests/browser_sandbox.pp b/modules/ocf/manifests/browser_sandbox.pp
index 4481d1a9e..c9cc00326 100644
--- a/modules/ocf/manifests/browser_sandbox.pp
+++ b/modules/ocf/manifests/browser_sandbox.pp
@@ -13,9 +13,9 @@
     # defense in depth, but not critical. See
     # <https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
     'kernel.unprivileged_userns_clone':
-      value => '1';
+      ensure => absent;
     # Enable ptrace protection. Only allow ptrace from a parent process to its
-    # children or via CAP_SYS_PTRACE.
+    # children or via CAP_SYS_PTRACE. This is also set by hardening-runtime.
     'kernel.yama.ptrace_scope':
       value => '1';
   }
diff --git a/modules/ocf/manifests/packages/kernel.pp b/modules/ocf/manifests/packages/kernel.pp
index 322edc411..e9d167667 100644
--- a/modules/ocf/manifests/packages/kernel.pp
+++ b/modules/ocf/manifests/packages/kernel.pp
@@ -1,10 +1,26 @@
 class ocf::packages::kernel {
   if $::lsbdistcodename != 'stretch' {
-    # Disable some kernel features: module loading after boot, kexec,
-    # Berkeley Packet Filter (BPF). Not to be confused with the lockdown
-    # security module introduced with Linux 5.4, which imposes similar
-    # restrictions.
-    package { 'lockdown': }
+    # Harden kernel using kernel command line options and sysctl settings
+    # recommended by the Kernel Self Protection Project:
+    # https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
+    # Tails makes similar changes:
+    # https://tails.boum.org/contribute/design/kernel_hardening/
+    # kernel command line changes - potential performance impact:
+    #  * always enable kernel address space layout randomization (KASLR)
+    #  * always enable kernel page-table isolation (PTI, formerly KAISER)
+    #  * wipe slab and page allocations and enable sanity checks
+    #  * disable simultaneous multithreading (SMT) aka hyperthreading (HT)
+    # sysctl changes:
+    #  * disable kexec
+    #  * restrict ptrace access to parent processes
+    #  * disable user namespaces
+    #    currently breaks systemd services specifying PrivateUsers=yes,
+    #    such as upower on bullseye, see
+    #    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959884
+    #  * disable unprivileged Berkeley Packet Filter (BPF) access
+    # For bullseye, also consider enabling the lockdown security module
+    # introduced with Linux 5.4.
+    package { 'hardening-runtime': }
 
     if $::is_virtual {
       # Install cloud kernel image which removes some hardware support.

From 0eb320653ad0e21266f3c63614e2902d7fd23775 Mon Sep 17 00:00:00 2001
From: "Ja (Thanakul) Wattanawong" <ja@jwattanawong.com>
Date: Wed, 29 Jul 2020 00:47:04 -0700
Subject: [PATCH 3/3] Update Jenkinsfile