Hello,

I merged this and edited the release number of the setup package.

For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.

Why did we say again this should live in the setup package and not the kernel?

-Michael

> On 3 Jan 2019, at 17:05, Peter Müller <peter.mueller(a)link38.eu> wrote:
> 
> Enable runtime sysctl hardening in order to avoid kernel
> addresses being disclosed via dmesg (in case it was built
> in without restrictions) or various /proc files.
> 
> See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
> for further information.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> setup/setup.nm                     | 2 ++
> setup/sysctl/kernel-hardening.conf | 6 ++++++
> 2 files changed, 8 insertions(+)
> create mode 100644 setup/sysctl/kernel-hardening.conf
> 
> diff --git a/setup/setup.nm b/setup/setup.nm
> index 78d1a5df3..f1dd3c177 100644
> --- a/setup/setup.nm
> +++ b/setup/setup.nm
> @@ -53,6 +53,8 @@ build
> 			%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
> 		install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
> 			%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
> +		install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
> +			%{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
> 	end
> end
> 
> diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
> new file mode 100644
> index 000000000..6751bbef6
> --- /dev/null
> +++ b/setup/sysctl/kernel-hardening.conf
> @@ -0,0 +1,6 @@
> +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
> +kernel.kptr_restrict = 1
> +
> +# Avoid kernel memory address exposures via dmesg.
> +kernel.dmesg_restrict = 1
> +
> -- 
> 2.16.4