Commits on Source (3)
-
nl6720 authored
Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel. See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7 This could prevent a scenario where a malicious kernel module or access to some interface that kernel lockdown prevents, would allow or assist in escaping the KVM. It is not very likely as there needs to be an exploitable vulnerability in the hypervisor. To make it more secure, the host too would need to enable kernel lockdown. In the end this may only give some sense of security, but, as we all know, that's all that matters anyway.
-
Kristian Klausen authored
gitlab_runner: try to protect the VM runner kernel from the root user See merge request !617
-
Kristian Klausen authored
The default (40KB) isn't enough for all patches. Fixes: 4d8dfb6a ("mailman: Third batch of mailman3 migrated lists")