Hello,
I merged this and edited the release number of the setup package.
For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.
Why did we say again this should live in the setup package and not the kernel?
-Michael
On 3 Jan 2019, at 17:05, Peter Müller peter.mueller@link38.eu wrote:
Enable runtime sysctl hardening in order to avoid kernel addresses being disclosed via dmesg (in case it was built in without restrictions) or various /proc files.
See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommende... for further information.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
setup/setup.nm | 2 ++ setup/sysctl/kernel-hardening.conf | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 setup/sysctl/kernel-hardening.conf
diff --git a/setup/setup.nm b/setup/setup.nm index 78d1a5df3..f1dd3c177 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -53,6 +53,8 @@ build %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \%{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.confend
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf new file mode 100644 index 000000000..6751bbef6 --- /dev/null +++ b/setup/sysctl/kernel-hardening.conf @@ -0,0 +1,6 @@ +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1
+# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1
-- 2.16.4