Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-17 05:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity

Move kernel.panic=-1 setting to sysctl, allow turning panic-on-oops off with systemctl

Browse source
This commit is contained in:
Aaron Rainbolt 2025-12-11 18:47:42 -06:00
parent 725565c42e
commit 135ee80450
No known key found for this signature in database
GPG key ID: A709160D73C79109
3 changed files with 22 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -196,9 +196,7 @@ kernel.perf_event_paranoid=3
## KSPP=yes ## KSPP=yes
## KSPP sets CONFIG_PANIC_TIMEOUT=-1. ## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
## ##
## See /usr/libexec/security-misc/panic-on-oops for implementation. kernel.panic=-1
##
#kernel.panic=-1
## Force immediate kernel panic on OOM (out of memory) scenarios. ## Force immediate kernel panic on OOM (out of memory) scenarios.
## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score.

3
usr/lib/systemd/system/panic-on-oops.service#security-misc-shared
View file

@ -14,7 +14,8 @@ After=getty.target
[Service] [Service]
Type=oneshot Type=oneshot
RemainAfterExit=yes RemainAfterExit=yes
ExecStart=/usr/libexec/security-misc/panic-on-oops ExecStart=/usr/libexec/security-misc/panic-on-oops enable
ExecStop=/usr/libexec/security-misc/panic-on-oops disable
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

35
usr/libexec/security-misc/panic-on-oops#security-misc-shared
View file

@ -12,20 +12,23 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
source /usr/libexec/helper-scripts/pre.bsh source /usr/libexec/helper-scripts/pre.bsh
fi fi
## Makes the kernel immediately panic on both oopses and warnings. action="${1:-}"
## These settings force a full system crash rather than continuing
## to run after an inconsistent state is triggered by a potentially
## flawed processes. The reasons for the errors could be kernel
## exploit attempts but may also simply be general software bugs.
##
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
sysctl kernel.oops_limit=1
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
sysctl kernel.warn_limit=1
## Makes the system immediately reboot on the occurrence of a single if [ "${action}" = 'enable' ]; then
## kernel panic. This reduces the risk and impact of denial-of-service ## Makes the kernel immediately panic on both oopses and warnings.
## attacks and both cold and warm boot attacks. ## These settings force a full system crash rather than continuing
## ## to run after an inconsistent state is triggered by a potentially
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic ## flawed processes. The reasons for the errors could be kernel
sysctl kernel.panic=-1 ## exploit attempts but may also simply be general software bugs.
##
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
sysctl kernel.oops_limit=1
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
sysctl kernel.warn_limit=1
elif [ "${action}" = 'disable' ]; then
sysctl kernel.oops_limit=0
sysctl kernel.warn_limit=0
else
printf '%s\n' "ERROR: Unrecognized action '${action}'!"
exit 1
fi