Implement secureblue hardening features

Feature Requests
1

The Linux OS secureblue has some significant security hardening features that I believe would be worth considering for OpenWrt:

hardened_malloc comes from GrapheneOS, and is implemented in secureblue as well as @anon80358587 's Brace toolkit. It is described by GrapheneOS as

a security-focused general purpose memory allocator

leveraging modern hardware capabilities to provide substantial defenses against the most common classes of vulnerabilities (heap memory corruption) along with reducing the lifetime of sensitive data in memory.

More of secureblue's features:

OpenWrt doesn't use systemd, so sudo-rs would be a better replacement

  • Remove the unmaintained and suid-root fuse2 by default.
  • Disable unprivileged user namespaces by default for the unconfined SELinux domain and the container SELinux domain
  • Prohibit ptrace attachment by default. why?
  • Disable all ports and services for firewalld

In this case, it would be awall

  • Use HTTPS for all rpm mirrors.

In this case, maybe use HTTPS for all apk mirrors

  • Set all default container policies to reject, signedBy, or sigstoreSigned.
  • Disable coredumps.
  • Blacklist numerous unused kernel modules to reduce attack surface. details
2

Maybe re-read your list of features and reconsider which of those would actually apply to OpenWrt, particularly in a default install.

5 Likes
3

Thanks for the feedback, I've reevaluated the features once more and have excluded all those that I know don't apply to OpenWrt.

Feel free to let me know if there are any more features I should exclude

4

Mmmh, on OpenWrt you are by default root, so I am unsure how this is going to help...

1 Like
5

Yeah I don't think this would be as helpful as some of the other changes, but I heard

The principle of least privilege applies to everything, not just sandboxed applications.

an attack vector isn't justified by the existence of others

6

But OpenWrt does not use SELinux...

7

I know, I just meant to say that reducing attack surface can help regardless of running as root by default, I'll edit my previous reply a bit

8

Lets start that selinux equivalent is ujail (namespace filter like docker) enabled for critical daemons.

Sysctls should be evaluated whether they have any effect on the only function openwrt does - packet forwarding, and if defaults are not already safe.

malloc hardening comes at huge memory access performance penalty', particularily on embedded systems with memory speed being bottleneck.

In addition “repo index” is signature-checked unlike default-y rpm installation

9

There might be something to be gained by tuning sysctl’s further. I haven’t looked into that. Disabling coredumps might also be worth considering. OpenWrt packages Chrony and assuming it supports NTS you could simply use that instead of the default ntp applet if NTS matters to you. run0 implies systemd and you probably don’t want to go that route. OpenWrt does have SELinux but it is opt-in because its potentially labor intensive.

OpenWrt is pretty good. By default it has a very specific purpose and profiles for specific targets which means that less code is needed which means smaller attack surface. I would not compare OpenWrt to a general purpose desktop or server.

10

Please do the research before writing next paragraph.

11

Done. There is a chrony-nts package.

1 Like
12

There is a problem with bulldozing approach - there are many platforms not supporting kernel audit to collect selinux backscatter or having 8MB flash where chrony plainly does not fit.

But if you filter and match what does not consume extra resources you be getting somewhere…

2 Likes
13

One example (found digging up ruleset features lost in fw3→fw4 transition, not random internet articles) https://github.com/openwrt/openwrt/pull/18895

Could you revire ip-sysctl html from mainline? I think some bits hide in there…