subgraph-os-issues
subgraph-os-issues copied to clipboard
subgraph
Few config options missing.
Hi,
I saw in the recent kernel config that there are a few Grsecurity/PaX options not set. Those might be handy to enable since not everyone has smap on their CPU yet I run older hardware and even some newer one doesn't have smap. These percentages are from the grsecurity wikibook https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options
| CONFIG | Performance hit |
|---|---|
| CONFIG_PAX_MEMORY_STRUCTLEAK | Even less than STACKLEAK. |
| CONFIG_PAX_MEMORY_STACKLEAK | 1% on single CPU system. |
| CONFIG_PAX_MEMORY_SANITIZE | 3% performance hit on single CPU system. |
| CONFIG_PAX_MEMORY_UDEREF | Some virtualisations solutions can take a huge hit with security set. |
| CONFIG_GRKERNSEC_IO | No performance hit. |
| CONFIG_GRKERNSEC_NO_RBAC | If RBAC isn't going to be used it's better to turn this on to prevent any abuse, no performance hit. |
| CONFIG_GRKERNSEC_SYSFS_RESTRICT | Might not work with Wayland and/or systemd ? |
| CONFIG_GRKERNSEC_TPE | Cool feature that can prevent things from executing everywhere, no performance hit. |
| CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE | Not sure what the performance hit is, but increased security if turned off. |
There is of course an trade off for performance but this could be solved with 2 kernels for people to choose from, for example in the installer or with a general apt install kernel-grsec-performance or kernel-grsec-security.
Offering more than one kernel is a great idea that we're already considering for other reasons (e.g. providing an 'airgap' kernel, etc). Thanks for the suggestion here, we'll take it seriously.
