]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - config/etc/sysctl.conf
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
sysctl.conf: prevent autoloading of TTY line disciplines
[ipfire-2.x.git] / config / etc / sysctl.conf
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index be7c07c857daafe58bbf67b11b4d026a54346a1a..832ad3d1c23ffa8f05a233cf09b7c5485cf9e386 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
+# from loading vulnerable line disciplines with the TIOCSETD ioctl.
+dev.tty.ldisc_autoload = 0
+
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
 kernel.kptr_restrict = 2
 
@@ -103,3 +107,6 @@ net.ipv4.tcp_fastopen = 3
 # This protects against various TCP attacks, such as DoS against or injection
 # of arbitrary segments into prematurely closed connections.
 net.ipv4.tcp_rfc1337 = 1
+
+# Include PID in file names of generated core dumps
+kernel.core_uses_pid = 1
IPFire 2.x development tree