Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #77 from madaidan/debugfs

Browse Source 
Restrict access to debugfs
This commit is contained in:
Patrick Schleizer 2020-10-03 18:09:07 +00:00 committed by GitHub
commit 58560138cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
debian/control vendored
View File

@ -126,6 +126,9 @@ Description: enhances misc security settings
* Restricts loading line disciplines to `CAP_SYS_MODULE`. * Restricts loading line disciplines to `CAP_SYS_MODULE`.
. .
* Restricts the `userfaultfd()` syscall to root. * Restricts the `userfaultfd()` syscall to root.
.
* Access to debugfs is restricted as it can contain a lot of sensitive
information.
. .
Improve Entropy Collection Improve Entropy Collection
. .

5
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -66,3 +66,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0"
## Restrict access to debugfs since it can contain a lot of sensitive information.
## https://lkml.org/lkml/2020/7/16/122
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"