Enable runtime sysctl hardening in order to avoid kernel addresses being disclosed via dmesg (in case it was built in without restrictions) or various /proc files.
See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommende... for further information.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- setup/setup.nm | 2 ++ setup/sysctl/kernel-hardening.conf | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 setup/sysctl/kernel-hardening.conf
diff --git a/setup/setup.nm b/setup/setup.nm index 78d1a5df3..f1dd3c177 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -53,6 +53,8 @@ build %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf + install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \ + %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf end end
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf new file mode 100644 index 000000000..6751bbef6 --- /dev/null +++ b/setup/sysctl/kernel-hardening.conf @@ -0,0 +1,6 @@ +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1 + +# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1 +