From 65c29f493b56798bc67de7ea451f8f65d99d3093 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 25 Jan 2023 15:13:19 -0500
Subject: [PATCH] move kexec disabling to dedicated file
 `/etc/sysctl.d/30_security-misc_kexec-disable.conf`

so ram-wipe can `config-package-dev` `hide` this config file
---
 etc/sysctl.d/30_security-misc.conf               |  9 ---------
 etc/sysctl.d/30_security-misc_kexec-disable.conf | 10 ++++++++++
 2 files changed, 10 insertions(+), 9 deletions(-)
 create mode 100644 etc/sysctl.d/30_security-misc_kexec-disable.conf

diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index 3862e1d..e5d1176 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -30,15 +30,6 @@ fs.protected_hardlinks=1
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2
 
-## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
-##
-## kexec_load_disabled:
-##
-## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
-
-## Disables kexec which can be used to replace the running kernel.
-kernel.kexec_load_disabled=1
-
 ## Hides kernel addresses in various files in /proc.
 ## Kernel addresses can be very useful in certain exploits.
 ##
diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/30_security-misc_kexec-disable.conf
new file mode 100644
index 0000000..954a947
--- /dev/null
+++ b/etc/sysctl.d/30_security-misc_kexec-disable.conf
@@ -0,0 +1,10 @@
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
+##
+## kexec_load_disabled:
+##
+## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
+## Disables kexec which can be used to replace the running kernel.
+kernel.kexec_load_disabled=1