From: Peter Müller <peter.mueller@link38.eu>
Date: Thu, 16 Aug 2018 15:29:58 +0000 (+0200)
Subject: do not expose kernel address spaces even to privileged users
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5fe33228311d47490536bee370297a7c735f9d6;p=people%2Fms%2Fipfire-2.x.git

do not expose kernel address spaces even to privileged users

Change this setting from 1 to 2 so kernel addresses are not
displayed even if a user has CAPS_SYSLOG privileges.

See also:
- https://lwn.net/Articles/420403/
- https://tails.boum.org/contribute/design/kernel_hardening/

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 011c4287ea..345f8f52a4 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -44,7 +44,7 @@ net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2
 
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1