prevent kernel address space leak via dmesg or /proc files

Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.

See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/setup/setup.nm b/setup/setup.nm
index 78d1a5df342daf817f3d42249a158fd5b993805f..e79fff10d87a1578d70754f3a1143dfcb9b6dde6 100644 (file)
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
 
 name       = setup
 version    = 3.0
-release    = 10
+release    = 11
 arch       = noarch
 
 groups     = Base Build System/Base
@@ -53,6 +53,8 @@ build
                        %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
                install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
                        %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
+               install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
+                       %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
        end
 end
 

diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
new file mode 100644 (file)
index 0000000..6751bbe
--- /dev/null
+++ b/setup/sysctl/kernel-hardening.conf
@@ -0,0 +1,6 @@
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
+