From 0ea7dd161b3e643c23624e6dcb450116824b6301 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Fri, 14 Feb 2020 17:50:19 +0000
Subject: [PATCH] Restrict loading line disciplines to CAP_SYS_MODULE

---
 etc/sysctl.d/30_security-misc.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index 4c17bcb..8305bd1 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -118,3 +118,8 @@ net.ipv4.conf.all.rp_filter=1
 net.ipv4.tcp_timestamps=0
 
 #### meta end
+
+## Restrict loading line disciplines to CAP_SYS_MODULE to prevent
+## unprivileged attackers from loading vulnerable line disciplines
+## with the TIOCSETD ioctl to exploit them.
+dev.tty.ldisc_autoload=0