From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] prevent kernel address space leak via dmesg or /proc files
Date: Thu, 03 Jan 2019 18:08:15 +0000
Message-ID: <C992EC46-FBBA-44C4-8D03-5922D7C968B9@ipfire.org>
In-Reply-To: <12f4a156-3f21-1cf6-05bb-069fd986932d@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6590836992954689153=="
List-Id: <development.lists.ipfire.org>

--===============6590836992954689153==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I merged this and edited the release number of the setup package.

For pakfire to recognise changes, the release number (or version number) has =
to be increased. Since this package does not follow an upstream one, it would=
 have been only the release. I did that for you.

Why did we say again this should live in the setup package and not the kernel?

-Michael

> On 3 Jan 2019, at 17:05, Peter M=C3=BCller <peter.mueller(a)link38.eu> wrot=
e:
>=20
> Enable runtime sysctl hardening in order to avoid kernel
> addresses being disclosed via dmesg (in case it was built
> in without restrictions) or various /proc files.
>=20
> See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recom=
mended_Settings
> for further information.
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> setup/setup.nm                     | 2 ++
> setup/sysctl/kernel-hardening.conf | 6 ++++++
> 2 files changed, 8 insertions(+)
> create mode 100644 setup/sysctl/kernel-hardening.conf
>=20
> diff --git a/setup/setup.nm b/setup/setup.nm
> index 78d1a5df3..f1dd3c177 100644
> --- a/setup/setup.nm
> +++ b/setup/setup.nm
> @@ -53,6 +53,8 @@ build
> 			%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
> 		install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
> 			%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
> +		install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
> +			%{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
> 	end
> end
>=20
> diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-harde=
ning.conf
> new file mode 100644
> index 000000000..6751bbef6
> --- /dev/null
> +++ b/setup/sysctl/kernel-hardening.conf
> @@ -0,0 +1,6 @@
> +# Try to keep kernel address exposures out of various /proc files (kallsym=
s, modules, etc).
> +kernel.kptr_restrict =3D 1
> +
> +# Avoid kernel memory address exposures via dmesg.
> +kernel.dmesg_restrict =3D 1
> +
> --=20
> 2.16.4


--===============6590836992954689153==--