Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-02 05:56:02 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #77 from madaidan/debugfs

Browse source 
Restrict access to debugfs
This commit is contained in:
Patrick Schleizer 2020-10-03 18:09:07 +00:00 committed by GitHub
commit 58560138cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
debian/control vendored
View file

@ -126,6 +126,9 @@ Description: enhances misc security settings
* Restricts loading line disciplines to `CAP_SYS_MODULE`.
.
* Restricts the `userfaultfd()` syscall to root.
.
* Access to debugfs is restricted as it can contain a lot of sensitive
information.
.
Improve Entropy Collection
.

5
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -66,3 +66,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0"
## Restrict access to debugfs since it can contain a lot of sensitive information.
## https://lkml.org/lkml/2020/7/16/122
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"