From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] prevent kernel address space leak via dmesg or /proc files Date: Thu, 03 Jan 2019 18:05:40 +0100 Message-ID: <12f4a156-3f21-1cf6-05bb-069fd986932d@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0309597459758036372==" List-Id: --===============0309597459758036372== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Enable runtime sysctl hardening in order to avoid kernel addresses being disclosed via dmesg (in case it was built in without restrictions) or various /proc files. See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recomme= nded_Settings for further information. Signed-off-by: Peter M=C3=BCller --- setup/setup.nm | 2 ++ setup/sysctl/kernel-hardening.conf | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 setup/sysctl/kernel-hardening.conf diff --git a/setup/setup.nm b/setup/setup.nm index 78d1a5df3..f1dd3c177 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -53,6 +53,8 @@ build %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf + install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \ + %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf end end =20 diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardeni= ng.conf new file mode 100644 index 000000000..6751bbef6 --- /dev/null +++ b/setup/sysctl/kernel-hardening.conf @@ -0,0 +1,6 @@ +# Try to keep kernel address exposures out of various /proc files (kallsyms,= modules, etc). +kernel.kptr_restrict =3D 1 + +# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict =3D 1 + --=20 2.16.4 --===============0309597459758036372==--