]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
projects / people / pmueller / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a65d07e)
hide kernel addresses in /proc
authorPeter Müller <peter.mueller@link38.eu>
Sat, 30 Jun 2018 09:44:06 +0000 (11:44 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 3 Jul 2018 09:32:56 +0000 (10:32 +0100)
Make sure kernel address space is hidden from files somewhere
in /proc . This reduces attack surface and partially addresses #11659.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/etc/sysctl.conf patch | blob | blame | history

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index f3897c3c79d12b536e5418967ca0b4fdadd539f5..011c4287ea04f7194548ac9a27e88b9e2701bf53 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -42,3 +42,9 @@ net.netfilter.nf_conntrack_acct=1
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
+
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
Peter's tree of IPFire 2.x