Skip to content
Snippets Groups Projects
Unverified Commit ab612463 authored by nl6720's avatar nl6720
Browse files

gitlab_runner: try to protect the VM runner kernel from the root user

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel.
See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7

This could prevent a scenario where a malicious kernel module or access to some interface that kernel lockdown prevents, would allow or assist in escaping the KVM.
It is not very likely as there needs to be an exploitable vulnerability in the hypervisor.
To make it more secure, the host too would need to enable kernel lockdown.

In the end this may only give some sense of security, but, as we all know, that's all that matters anyway.
parent 4d8dfb6a
No related branches found
No related tags found
1 merge request!617gitlab_runner: try to protect the VM runner kernel from the root user
......@@ -37,6 +37,8 @@ arch-chroot mnt pacman -Sy --noconfirm --needed archlinux-keyring
arch-chroot mnt pacman -Syu --noconfirm --needed git git-lfs gitlab-runner
sed -E 's/^#(IgnorePkg *=)/\1 linux/' -i mnt/etc/pacman.conf
arch-chroot mnt userdel -r arch
sed 's/^\(GRUB_CMDLINE_LINUX=".*\)"$/\1 lockdown=confidentiality"/' -i mnt/etc/default/grub
arch-chroot mnt /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg
install -d -m0700 mnt/root/.ssh
install -m0600 /etc/libvirt-executor/id_ed25519.pub mnt/root/.ssh/authorized_keys
rm -f mnt/etc/machine-id
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment