Merge pull request #53 from madaidan/sysctl-initramfs

Set sysctl values in initramfs
2025-04-20 21:56:27 -04:00 · 2020-01-15 11:02:30 +00:00 · 2020-01-15 11:02:30 +00:00 · 087465a0cd
commit 087465a0cd
parent 80159545a5 528c5fc4c4
3 changed files with 42 additions and 0 deletions
--- a/debian/control
+++ b/debian/control
@ -116,6 +116,9 @@ Description: enhances misc security settings
 .
  * The vivid kernel module is blacklisted as it's only required for testing
 and has been the cause of multiple vulnerabilities.
+ .
+  * An initramfs hook sets the sysctl values in /etc/sysctl.d before init
+ is executed so our hardening is enabled as early as possible.
 .
  * The kernel panics on oopses to prevent it from continuing to run a flawed
 process and to deter brute forcing.
--- a/etc/initramfs-tools/hooks/sysctl-initramfs
+++ b/etc/initramfs-tools/hooks/sysctl-initramfs
@ -0,0 +1,21 @@
+#!/bin/sh
+
+## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+set -e
+
+PREREQ=""
+prereqs()
+{
+        echo "$PREREQ"
+}
+case $1 in
+prereqs)
+       prereqs
+       exit 0
+       ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_exec /sbin/sysctl /sbin
--- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
+++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
@ -0,0 +1,18 @@
+#!/bin/sh
+
+## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+PREREQ=""
+prereqs()
+{
+        echo "$PREREQ"
+}
+case $1 in
+prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+sysctl -p ${rootmnt}/etc/sysctl.d/*.conf