Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-23 09:31:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

move kexec disabling to dedicated file /etc/sysctl.d/30_security-misc_kexec-disable.conf

Browse Source 
so ram-wipe can `config-package-dev` `hide` this config file
This commit is contained in:
Patrick Schleizer 2023-01-25 15:13:19 -05:00
parent 56c7c57b3a
commit 65c29f493b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
etc/sysctl.d/30_security-misc.conf
View File

@ -30,15 +30,6 @@ fs.protected_hardlinks=1
kernel.unprivileged_bpf_disabled=1 kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2 net.core.bpf_jit_harden=2
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
##
## kexec_load_disabled:
##
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
## Disables kexec which can be used to replace the running kernel.
kernel.kexec_load_disabled=1
## Hides kernel addresses in various files in /proc. ## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits. ## Kernel addresses can be very useful in certain exploits.
## ##

10
etc/sysctl.d/30_security-misc_kexec-disable.conf Normal file
View File

@ -0,0 +1,10 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
##
## kexec_load_disabled:
##
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
## Disables kexec which can be used to replace the running kernel.
kernel.kexec_load_disabled=1