Merge pull request #126 from raja-grewal/Comment

Update comments
This commit is contained in:
Patrick Schleizer 2023-05-15 12:57:46 -04:00 committed by GitHub
commit b0b73db3c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 4 deletions

View File

@ -386,10 +386,6 @@ https://github.com/ioerror/torbirdy/pull/11
Some hardening is opt-in as it causes too much breakage to be enabled by
default.
* TCP SACK can be disabled as it is commonly exploited and is rarely used by
uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf`
configuration file.
* An optional systemd service mounts `/proc` with `hidepid=2` at boot to
prevent users from seeing another user's processes. This is disabled by
default because it is incompatible with `pkexec`. It can be enabled by

View File

@ -36,6 +36,14 @@ net.core.bpf_jit_harden=2
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2
## Improves ASLR effectiveness for mmap.
## Both explicit sysctl are made redundant due to automation
## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
## Do NOT enable either - displaying only for clarity
##
#vm.mmap_rnd_bits=32
#vm.mmap_rnd_compat_bits=16
## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
##