Merge remote-tracking branch 'raja/panic_limits' into arraybolt3/trixie

2025-11-26 12:16:27 -05:00 · 2025-08-17 13:52:01 -05:00 · 2025-08-17 13:52:01 -05:00 · b5a36e02f1
commit b5a36e02f1
parent 210aa97650 6df3e3cde8
4 changed files with 36 additions and 35 deletions
--- a/usr/libexec/security-misc/panic-on-oops
+++ b/usr/libexec/security-misc/panic-on-oops
@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
   source /usr/libexec/helper-scripts/pre.bsh
 fi

-## Makes the kernel panic on oopses and warnings. This prevents the
-## kernel from continuing to run a flawed processes. Many kernel
-## exploits will also cause an oops, these settings will make the
-## kernel kill the offending processes.
-#sysctl kernel.panic=-1
-sysctl kernel.panic_on_oops=1
-sysctl kernel.panic_on_warn=1
-#sysctl kernel.oops_limit=1
-#sysctl kernel.warn_limit=1
+## Makes the kernel immediately panic on both oopses and warnings.
+## These settings force a full system crash rather than continuing
+## to run after an inconsistent state is triggered by a potentially
+## flawed processes. The reasons for the errors could be kernel
+## exploit attempts but may also simply be general software bugs.
+sysctl kernel.oops_limit=1
+sysctl kernel.warn_limit=1
+
+## Makes the system immediately reboot on the occurrence of a single
+## kernel panic. This reduces the risk and impact of both denial of
+## service and cold boot attacks.
+sysctl kernel.panic=-1