sysctl.conf: prevent autoloading of TTY line disciplines

author Michael Tremer <michael.tremer@ipfire.org>

Tue, 6 Apr 2021 10:13:38 +0000 (10:13 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 6 Apr 2021 10:13:38 +0000 (10:13 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Tue, 6 Apr 2021 10:13:38 +0000 (10:13 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 6 Apr 2021 10:13:38 +0000 (10:13 +0000)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf

index c9b4c092af55df80e5555a386c54308912b56ecf..832ad3d1c23ffa8f05a233cf09b7c5485cf9e386 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
  net.bridge.bridge-nf-call-iptables = 0
  net.bridge.bridge-nf-call-arptables = 0
  
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
+# from loading vulnerable line disciplines with the TIOCSETD ioctl.
+dev.tty.ldisc_autoload = 0
+
  # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
  kernel.kptr_restrict = 2
author	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 6 Apr 2021 10:13:38 +0000 (10:13 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 6 Apr 2021 10:13:38 +0000 (10:13 +0000)