In order to make local privilege escalation more harder, hide kernel addresses in various /proc files against users with root (or similar) permissions, too.
Common system hardening tools such as lynis recommend this.
The second version of this patch also increments the package number.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- setup/setup.nm | 2 +- setup/sysctl/kernel-hardening.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/setup/setup.nm b/setup/setup.nm index e79fff10d..0bb936ccb 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -5,7 +5,7 @@
name = setup version = 3.0 -release = 11 +release = 12 arch = noarch
groups = Base Build System/Base diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf index 6751bbef6..9bb6e9f45 100644 --- a/setup/sysctl/kernel-hardening.conf +++ b/setup/sysctl/kernel-hardening.conf @@ -1,5 +1,5 @@ # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). -kernel.kptr_restrict = 1 +kernel.kptr_restrict = 2
# Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1