From ab612463a7ea119d4f0a34e9f2730b6c79cd7691 Mon Sep 17 00:00:00 2001
From: nl6720 <nl6720@gmail.com>
Date: Tue, 16 Aug 2022 14:12:59 +0300
Subject: [PATCH] gitlab_runner: try to protect the VM runner kernel from the
 root user

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel.
See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7

This could prevent a scenario where a malicious kernel module or access to some interface that kernel lockdown prevents, would allow or assist in escaping the KVM.
It is not very likely as there needs to be an exploitable vulnerability in the hypervisor.
To make it more secure, the host too would need to enable kernel lockdown.

In the end this may only give some sense of security, but, as we all know, that's all that matters anyway.
---
 roles/gitlab_runner/files/libvirt-executor-update-base-image | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/gitlab_runner/files/libvirt-executor-update-base-image b/roles/gitlab_runner/files/libvirt-executor-update-base-image
index ffd7d0afd..928cb04dc 100755
--- a/roles/gitlab_runner/files/libvirt-executor-update-base-image
+++ b/roles/gitlab_runner/files/libvirt-executor-update-base-image
@@ -37,6 +37,8 @@ arch-chroot mnt pacman -Sy --noconfirm --needed archlinux-keyring
 arch-chroot mnt pacman -Syu --noconfirm --needed git git-lfs gitlab-runner
 sed -E 's/^#(IgnorePkg *=)/\1 linux/' -i mnt/etc/pacman.conf
 arch-chroot mnt userdel -r arch
+sed 's/^\(GRUB_CMDLINE_LINUX=".*\)"$/\1 lockdown=confidentiality"/' -i mnt/etc/default/grub
+arch-chroot mnt /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg
 install -d -m0700 mnt/root/.ssh
 install -m0600 /etc/libvirt-executor/id_ed25519.pub mnt/root/.ssh/authorized_keys
 rm -f mnt/etc/machine-id
-- 
GitLab