From db7045a1a627cc7144236d18cf7afd163643398c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sun, 2 Dec 2018 17:26:17 +0100 Subject: [PATCH] prevent kernel address space leak via dmesg or /proc files MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Enable runtime sysctl hardening in order to avoid kernel addresses being disclosed via dmesg (in case it was built in without restrictions) or various /proc files. See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings for further information. Signed-off-by: Peter Müller --- setup/setup.nm | 2 ++ setup/sysctl/hardening.conf | 5 +++++ 2 files changed, 7 insertions(+) create mode 100644 setup/sysctl/hardening.conf diff --git a/setup/setup.nm b/setup/setup.nm index dad72ae0b..a5a65aebe 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -53,6 +53,8 @@ build %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf + install -m 644 %{DIR_APP}/sysctl/hardening.conf \ + %{BUILDROOT}%{sysconfdir}/sysctl.d/hardening.conf end end diff --git a/setup/sysctl/hardening.conf b/setup/sysctl/hardening.conf new file mode 100644 index 000000000..1661a6cc8 --- /dev/null +++ b/setup/sysctl/hardening.conf @@ -0,0 +1,5 @@ +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1 + +# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1 -- 2.47.2