From b3c84ac50cce7f7f9a045a1b8a43adc77408bf6e Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Sun, 18 Dec 2016 09:51:27 -0500
Subject: [PATCH] Misc hardening

Change-Id: I19525796263febdcf616fcf82eb5bb714a236a0d
---
 init/init.cpp   |  6 +++---
 rootdir/init.rc | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/init/init.cpp b/init/init.cpp
index 9992b47..fa82d3b 100755
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -573,10 +573,10 @@ int main(int argc, char** argv) {
         mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
         mkdir("/dev/pts", 0755);
         mkdir("/dev/socket", 0755);
-        mount("devpts", "/dev/pts", "devpts", 0, NULL);
+        mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL);
         #define MAKE_STR(x) __STRING(x)
-        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
-        mount("sysfs", "/sys", "sysfs", 0, NULL);
+        mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
+        mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
     }
 
     // We must have some place other than / to create the device nodes for
diff --git a/rootdir/init.rc b/rootdir/init.rc
index cd97776..38e68d1 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -122,6 +122,7 @@ on init
     write /proc/sys/kernel/sched_child_runs_first 0
 
     write /proc/sys/kernel/randomize_va_space 2
+    write /proc/sys/kernel/dmesg_restrict 1
     write /proc/sys/kernel/kptr_restrict 2
     write /proc/sys/vm/mmap_min_addr 32768
     write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
@@ -140,6 +141,21 @@ on init
     write /proc/sys/net/ipv4/conf/all/accept_redirects 0
     write /proc/sys/net/ipv6/conf/all/accept_redirects 0
 
+    # IPv4 hardening
+    #
+    # reverse path filtering is done with netfilter for consistency with IPv6
+    write /proc/sys/net/ipv4/tcp_rfc1337 1
+    write /proc/sys/net/ipv4/conf/all/accept_source_route 0
+    write /proc/sys/net/ipv4/conf/default/accept_source_route 0
+    write /proc/sys/net/ipv4/conf/default/accept_redirects 0
+    write /proc/sys/net/ipv4/conf/all/send_redirects 0
+    write /proc/sys/net/ipv4/conf/default/send_redirects 0
+
+    # IPv6 hardening
+    write /proc/sys/net/ipv6/conf/default/accept_redirects 0
+    write /proc/sys/net/ipv6/conf/all/use_tempaddr 2
+    write /proc/sys/net/ipv6/conf/default/use_tempaddr 2
+
     # Create cgroup mount points for process groups
     mkdir /dev/cpuctl
     mount cgroup none /dev/cpuctl cpu
-- 
2.9.3