prevent kernel address space leak via dmesg or /proc files

Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.

See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/setup/setup.nm b/setup/setup.nm
index dad72ae0b1296ade59e3a6224cabb53706dd3880..a5a65aebe32adf6da23058363a2de3962c206064 100644 (file)
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -53,6 +53,8 @@ build
                        %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
                install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
                        %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
+               install -m 644 %{DIR_APP}/sysctl/hardening.conf \
+                       %{BUILDROOT}%{sysconfdir}/sysctl.d/hardening.conf
        end
 end
 

diff --git a/setup/sysctl/hardening.conf b/setup/sysctl/hardening.conf
new file mode 100644 (file)
index 0000000..1661a6c
--- /dev/null
+++ b/setup/sysctl/hardening.conf
@@ -0,0 +1,5 @@
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1