Enable runtime sysctl hardening in order to avoid kernel addresses being disclosed via dmesg (in case it was built in without restrictions) or various /proc files.
See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommende... for further information.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- setup/setup.nm | 2 ++ setup/sysctl/kernel-hardening.conf | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 setup/sysctl/kernel-hardening.conf
diff --git a/setup/setup.nm b/setup/setup.nm index 78d1a5df3..f1dd3c177 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -53,6 +53,8 @@ build %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf + install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \ + %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf end end
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf new file mode 100644 index 000000000..6751bbef6 --- /dev/null +++ b/setup/sysctl/kernel-hardening.conf @@ -0,0 +1,6 @@ +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1 + +# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1 +
Hello,
I merged this and edited the release number of the setup package.
For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.
Why did we say again this should live in the setup package and not the kernel?
-Michael
On 3 Jan 2019, at 17:05, Peter Müller peter.mueller@link38.eu wrote:
Enable runtime sysctl hardening in order to avoid kernel addresses being disclosed via dmesg (in case it was built in without restrictions) or various /proc files.
See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommende... for further information.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
setup/setup.nm | 2 ++ setup/sysctl/kernel-hardening.conf | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 setup/sysctl/kernel-hardening.conf
diff --git a/setup/setup.nm b/setup/setup.nm index 78d1a5df3..f1dd3c177 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -53,6 +53,8 @@ build %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \%{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.confend
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf new file mode 100644 index 000000000..6751bbef6 --- /dev/null +++ b/setup/sysctl/kernel-hardening.conf @@ -0,0 +1,6 @@ +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1
+# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1
-- 2.16.4
Hello Michael,
Hello,
I merged this and edited the release number of the setup package.
thank you - I am not very sure with handling the release numbers. Glad you fixed this for me. :-)
For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.
Why did we say again this should live in the setup package and not the kernel?
As far as I can recall, we did not. However, this patch contains sysctl parameters, so I guess it makes sens to include them in the sysctl package. Kernel flags, for example, will be patched in the kernel package.
Thanks, and best regards, Peter Müller
-Michael
Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
On 7 Jan 2019, at 17:04, Peter Müller peter.mueller@link38.eu wrote:
Hello Michael,
Hello,
I merged this and edited the release number of the setup package.
thank you - I am not very sure with handling the release numbers. Glad you fixed this for me. :-)
For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.
Why did we say again this should live in the setup package and not the kernel?
As far as I can recall, we did not. However, this patch contains sysctl parameters, so I guess it makes sens to include them in the sysctl package. Kernel flags, for example, will be patched in the kernel package.
To be honest, I do not have a better place where this could live.
However, these flags are closely tied to the kernel, so the kernel package would make sense. However, multiple of those can be installed at the same time and loading incompatible settings might happen.
We will leave this for now until we have a better idea.
Best, -Michael
Thanks, and best regards, Peter Müller
-Michael
Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
-
Michael Tremer -
Peter Müller