From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] hide kernel addresses in /proc against privileged users
Date: Sun, 20 Jan 2019 18:03:36 +0100
Message-ID: <015ae288-bd5a-15c1-151a-3189d769a984@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1724442966978916163=="
List-Id: <development.lists.ipfire.org>

--===============1724442966978916163==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

In order to make local privilege escalation more harder, hide
kernel addresses in various /proc files against users with
root (or similar) permissions, too.

Common system hardening tools such as lynis recommend this.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 setup/sysctl/kernel-hardening.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardeni=
ng.conf
index 6751bbef6..9bb6e9f45 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -1,5 +1,5 @@
 # Try to keep kernel address exposures out of various /proc files (kallsyms,=
 modules, etc).
-kernel.kptr_restrict =3D 1
+kernel.kptr_restrict =3D 2
=20
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict =3D 1
--=20
2.16.4

--===============1724442966978916163==--