From: Peter Müller <peter.mueller@ipfire.org>
Date: Sun, 2 Dec 2018 16:26:17 +0000 (+0100)
Subject: prevent kernel address space leak via dmesg or /proc files
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-3.x.git;a=commitdiff_plain;h=refs%2Fheads%2Fkernel-hardening

prevent kernel address space leak via dmesg or /proc files

Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.

See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---

diff --git a/setup/setup.nm b/setup/setup.nm
index dad72ae0b..a5a65aebe 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -53,6 +53,8 @@ build
 			%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
 		install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
 			%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
+		install -m 644 %{DIR_APP}/sysctl/hardening.conf \
+			%{BUILDROOT}%{sysconfdir}/sysctl.d/hardening.conf
 	end
 end
 
diff --git a/setup/sysctl/hardening.conf b/setup/sysctl/hardening.conf
new file mode 100644
index 000000000..1661a6cc8
--- /dev/null
+++ b/setup/sysctl/hardening.conf
@@ -0,0 +1,5 @@
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1