* [PATCH] do not expose kernel address spaces even to privileged users
@ 2018-08-16 15:29 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2018-08-16 15:29 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 878 bytes --]
Change this setting from 1 to 2 so kernel addresses are not
displayed even if a user has CAPS_SYSLOG privileges.
See also:
- https://lwn.net/Articles/420403/
- https://tails.boum.org/contribute/design/kernel_hardening/
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
config/etc/sysctl.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 011c4287e..345f8f52a 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -44,7 +44,7 @@ net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1
--
2.16.4
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-08-16 15:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-16 15:29 [PATCH] do not expose kernel address spaces even to privileged users Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox