prevent kernel address space leak via dmesg or /proc files
Enable runtime sysctl hardening in order to avoid kernel addresses being disclosed via dmesg (in case it was built in without restrictions) or various /proc files. See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings for further information. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
parent
26707c0aeb
commit
5c62e47391
|
@ -5,7 +5,7 @@
|
|||
|
||||
name = setup
|
||||
version = 3.0
|
||||
release = 10
|
||||
release = 11
|
||||
arch = noarch
|
||||
|
||||
groups = Base Build System/Base
|
||||
|
@ -53,6 +53,8 @@ build
|
|||
%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
|
||||
install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
|
||||
%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
|
||||
install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
|
||||
%{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
|
||||
kernel.kptr_restrict = 1
|
||||
|
||||
# Avoid kernel memory address exposures via dmesg.
|
||||
kernel.dmesg_restrict = 1
|
||||
|
Loading…
Reference in New Issue