From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] disable runtime kernel replacement via kexec
Date: Thu, 16 Aug 2018 17:31:58 +0200
Message-ID: <57d61c63-b0a5-0a3b-c1d5-74e7cec2e583@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7960016965292562495=="
List-Id: <development.lists.ipfire.org>

--===============7960016965292562495==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/etc/sysctl.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 011c4287e..5735dd42e 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -48,3 +48,7 @@ kernel.kptr_restrict = 1
 
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
+
+# Turn off kexec, even if it's built in (dangerous because
+# it can replace the running kernel).
+kernel.kexec_load_disabled = 1
-- 
2.16.4


--===============7960016965292562495==--