Make sure kernel address space is hidden from files somewhere in /proc . This reduces attack surface and partially addresses #11659.

Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/etc/sysctl.conf | 6 ++++++ 1 file changed, 6 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index f3897c3c7..011c4287e 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -42,3 +42,9 @@ net.netfilter.nf_conntrack_acct=1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 + +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1 + +# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1