gitlab_runner: try to protect the VM runner kernel from the root user (!617) · Merge requests · Arch Linux / infrastructure · GitLab

Due to an influx of spam, we have had to temporarily disable account registrations. Please write an email to accountsupport@archlinux.org, with your desired username, if you want to get access. Sorry for the inconvenience.

nl6720 requested to merge nl6720/infrastructure:vm_runner-lockdown into master Aug 16, 2022

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel.

See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7.

This may or may not improve ~security.