Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 011c4287e..5735dd42e 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -48,3 +48,7 @@ kernel.kptr_restrict = 1
# Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 + +# Turn off kexec, even if it's built in (dangerous because +# it can replace the running kernel). +kernel.kexec_load_disabled = 1
Hello,
please ignore this patch as it contains some errors leading to key lookup failures in sysctl.
Sorry for the inconvenience.
Thanks, and best regards, Peter Müller
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 011c4287e..5735dd42e 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -48,3 +48,7 @@ kernel.kptr_restrict = 1
# Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1
+# Turn off kexec, even if it's built in (dangerous because +# it can replace the running kernel). +kernel.kexec_load_disabled = 1
To avoid this noise on the list, please *thoroughly* test those changes before.
Although this is a trivial patch itself with only a one-line change, those changes can have loads of implications.
Best, -Michael
On Sun, 2018-08-19 at 20:14 +0200, Peter Müller wrote:
Hello,
please ignore this patch as it contains some errors leading to key lookup failures in sysctl.
Sorry for the inconvenience.
Thanks, and best regards, Peter Müller
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 011c4287e..5735dd42e 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -48,3 +48,7 @@ kernel.kptr_restrict = 1
# Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1
+# Turn off kexec, even if it's built in (dangerous because +# it can replace the running kernel). +kernel.kexec_load_disabled = 1
Hello Michael,
To avoid this noise on the list, please *thoroughly* test those changes before.
I do, but this was (successfully) tested against the wrong kernel. :-\
Although this is a trivial patch itself with only a one-line change, those changes can have loads of implications.
ACK.
Sorry for the poor quality of my patches. Promise to get better...
Best regards, Peter Müller
Best, -Michael
[...]
-
Michael Tremer -
Peter Müller