opensourcemirror
/
ipfire-3.x
mirror of git://git.ipfire.org/ipfire-3.x.git
1
0
Fork 0
Code Issues Releases Wiki Activity

prevent kernel address space leak via dmesg or /proc files 

Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.

See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Peter Müller 2019-01-03 18:05:40 +01:00 committed by Michael Tremer
parent 26707c0aeb
commit 5c62e47391
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
setup/setup.nm
View File

@ -5,7 +5,7 @@
name = setup
version = 3.0
release = 10
release = 11
arch = noarch
groups = Base Build System/Base
@ -53,6 +53,8 @@ build
%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
%{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
end
end

6
setup/sysctl/kernel-hardening.conf Normal file
View File

@ -0,0 +1,6 @@
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 1
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1