Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-26 16:46:49 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'trixie_docs' into arraybolt3/trixie

Browse source
This commit is contained in:
Aaron Rainbolt 2025-08-15 16:06:35 -05:00
commit a2a9e8440b
No known key found for this signature in database
GPG key ID: A709160D73C79109
5 changed files with 9 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

9
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -197,19 +197,17 @@ kernel.perf_event_paranoid=3
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
## Can lead to privilege escalation by pushing characters into a controlling TTY.
## Will break out-dated screen readers that continue to rely on this legacy functionality.
## Note this was already disabled by default as of Linux kernel 6.2.
##
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
##
## KSPP=yes
## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
##
## TODO: Debian 13 Trixie
## This is disabled by default when using Linux kernel >= 6.2.
##
dev.tty.legacy_tiocsti=0
## Disable asynchronous I/O for all processes.
## Leading cause of numerous kernel exploits.
## Use of io_uring has been the leading cause of numerous kernel exploits.
## Disabling will reduce the read/write performance of storage devices.
##
## https://en.wikipedia.org/wiki/Io_uring#Security
@ -218,9 +216,6 @@ dev.tty.legacy_tiocsti=0
## https://github.com/moby/moby/pull/46762
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
##
kernel.io_uring_disabled=2
## 2. User Space: