From 373590b7c3fb00e60d928b1b660105d4473536e1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Peter=20M=C3=BCller?= <peter.mueller@link38.eu>
Date: Sat, 30 Jun 2018 11:44:06 +0200
Subject: [PATCH] hide kernel addresses in /proc
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Make sure kernel address space is hidden from files somewhere
in /proc . This reduces attack surface and partially addresses #11659.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/etc/sysctl.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index f3897c3c79..011c4287ea 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -42,3 +42,9 @@ net.netfilter.nf_conntrack_acct=1
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
+
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
-- 
2.39.5