From d5fe33228311d47490536bee370297a7c735f9d6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Thu, 16 Aug 2018 17:29:58 +0200 Subject: [PATCH] do not expose kernel address spaces even to privileged users MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Change this setting from 1 to 2 so kernel addresses are not displayed even if a user has CAPS_SYSLOG privileges. See also: - https://lwn.net/Articles/420403/ - https://tails.boum.org/contribute/design/kernel_hardening/ Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/etc/sysctl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 011c4287ea..345f8f52a4 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -44,7 +44,7 @@ net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). -kernel.kptr_restrict = 1 +kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 -- 2.39.5