From 4898a9e753e9399e83e4a39d8fa340e1ad9d4f6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 16 Apr 2020 07:54:33 -0400 Subject: [PATCH] fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log since ephemeral, in RAM, not written to disk, no conflict with grub-live https://forums.whonix.org/t/kernel-hardening/7296/435 --- .../scripts/init-bottom/sysctl-initramfs | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 1de700d..58558fd 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -15,19 +15,12 @@ prereqs) ;; esac -## ${rootmnt} is mounted read-only in the initramfs so it needs to be remounted first. -if mount | grep "${rootmnt}" | grep -q "(ro,"; then - remount="yes" - mount -o remount,rw "${rootmnt}" -fi +## Write to '/run/initramfs' folder. +## https://forums.whonix.org/t/kernel-hardening/7296/435 -sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "${rootmnt}/var/log/sysctl-initramfs-error.log" -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "${rootmnt}/var/log/sysctl-initramfs-error.log" +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log" +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log" -if [ "${remount}" = "yes" ]; then - mount -o remount,ro "${rootmnt}" -fi - -grep -v "unprivileged_userfaultfd" "${rootmnt}/var/log/sysctl-initramfs-error.log" +grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log" true