From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH v2] hide kernel addresses in /proc against privileged users
Date: Mon, 21 Jan 2019 21:43:26 +0100
Message-ID: <cb91cffd-10e2-c075-ec92-90fa8290eb71@link38.eu>
In-Reply-To: <B2B43E94-7188-46F9-AD19-5D2F1E1D9EC6@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4127039483177034527=="
List-Id: <development.lists.ipfire.org>

--===============4127039483177034527==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

In order to make local privilege escalation more harder, hide
kernel addresses in various /proc files against users with
root (or similar) permissions, too.

Common system hardening tools such as lynis recommend this.

The second version of this patch also increments the package number.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 setup/setup.nm                     | 2 +-
 setup/sysctl/kernel-hardening.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/setup.nm b/setup/setup.nm
index e79fff10d..0bb936ccb 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
=20
 name       =3D setup
 version    =3D 3.0
-release    =3D 11
+release    =3D 12
 arch       =3D noarch
=20
 groups     =3D Base Build System/Base
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardeni=
ng.conf
index 6751bbef6..9bb6e9f45 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -1,5 +1,5 @@
 # Try to keep kernel address exposures out of various /proc files (kallsyms,=
 modules, etc).
-kernel.kptr_restrict =3D 1
+kernel.kptr_restrict =3D 2
=20
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict =3D 1
--=20
2.16.4


--===============4127039483177034527==--