Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 02:50:47 -05:00
Code Issues Packages Projects Releases Wiki Activity

disable io_uring without CAP_SYS_ADMIN or io_uring group

Browse Source
This commit is contained in:
Daniel Micay 2024-07-01 23:11:17 -04:00
parent 6e6957876e
commit 01201c0ece
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
deploy-initial
View File

@ -59,6 +59,7 @@ rsync -cv nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/etc/
ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service sshd.service unbound.service" ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service sshd.service unbound.service"
ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service" ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service"
ssh $remote "arch-chroot /mnt groupadd -g 2000 io_uring"
ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress" ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress"

3
sysctl.d/local.conf
View File

@ -53,6 +53,9 @@ kernel.unprivileged_userns_clone = 0
kernel.unprivileged_bpf_disabled = 1 kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2 net.core.bpf_jit_harden = 2
kernel.io_uring_disabled = 1
kernel.io_uring_group = 2000
kernel.kexec_load_disabled = 1 kernel.kexec_load_disabled = 1
fs.protected_regular = 2 fs.protected_regular = 2