From: Peter Müller <peter.mueller@link38.eu>
Date: Sat, 30 Jun 2018 09:44:06 +0000 (+0200)
Subject: hide kernel addresses in /proc
X-Git-Tag: v2.21-core123~76^2~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=373590b7c3fb00e60d928b1b660105d4473536e1;p=people%2Fstevee%2Fipfire-2.x.git

hide kernel addresses in /proc

Make sure kernel address space is hidden from files somewhere
in /proc . This reduces attack surface and partially addresses #11659.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index f3897c3c79..011c4287ea 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -42,3 +42,9 @@ net.netfilter.nf_conntrack_acct=1
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
+
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1