Merge pull request #5 from madaidan/patch-1

More kernel hardening

etc/default/grub.d/40_kernel_hardening.cfg

@@ -0,0 +1,11 @@
+# Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
+
+# Enables sanity checks (F), redzoning (Z) and poisoning (P). 
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZP"
+
+# Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites. 
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+
+# Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. 
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"

etc/sysctl.d/harden_bpf.conf

@@ -0,0 +1,3 @@
+# Hardens the BPF JIT compiler and restricts it to root.
+kernel.unprivileged_bpf_disabled=1
+net.core.bpf_jit_harden=2

etc/sysctl.d/kptr_restrict.conf

@@ -0,0 +1,2 @@
+# Hides kernel symbols in /proc/kallsyms 
+kernel.kptr_restrict=2 

etc/sysctl.d/mmap_aslr.conf

@@ -0,0 +1,3 @@
+# Improves KASLR effectiveness for mmap.
+vm.mmap_rnd_bits=32
+vm.mmap_rnd_compat_bits=16