From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] do not expose kernel address spaces even to privileged users
Date: Thu, 16 Aug 2018 17:29:58 +0200
Message-ID: <378c6d50-9d3e-3783-7fa3-80c762463695@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3124490700775527791=="
List-Id: <development.lists.ipfire.org>

--===============3124490700775527791==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Change this setting from 1 to 2 so kernel addresses are not
displayed even if a user has CAPS_SYSLOG privileges.

See also:
- https://lwn.net/Articles/420403/
- https://tails.boum.org/contribute/design/kernel_hardening/

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
 config/etc/sysctl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 011c4287e..345f8f52a 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -44,7 +44,7 @@ net.bridge.bridge-nf-call-iptables =3D 0
 net.bridge.bridge-nf-call-arptables =3D 0
=20
 # Try to keep kernel address exposures out of various /proc files (kallsyms,=
 modules, etc).
-kernel.kptr_restrict =3D 1
+kernel.kptr_restrict =3D 2
=20
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict =3D 1
--=20
2.16.4

--===============3124490700775527791==--