From: Peter Müller <peter.mueller@link38.eu>
Date: Thu, 3 Jan 2019 17:05:40 +0000 (+0100)
Subject: prevent kernel address space leak via dmesg or /proc files
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c62e4739107a7bb167c31c0f353f1ff8a150f2d;p=ipfire-3.x.git

prevent kernel address space leak via dmesg or /proc files

Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.

See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/setup/setup.nm b/setup/setup.nm
index 78d1a5df3..e79fff10d 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
 
 name       = setup
 version    = 3.0
-release    = 10
+release    = 11
 arch       = noarch
 
 groups     = Base Build System/Base
@@ -53,6 +53,8 @@ build
 			%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
 		install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
 			%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
+		install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
+			%{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
 	end
 end
 
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
new file mode 100644
index 000000000..6751bbef6
--- /dev/null
+++ b/setup/sysctl/kernel-hardening.conf
@@ -0,0 +1,6 @@
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
+