diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b526ee7..b813b48 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -172,6 +172,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 0b46477..1194489 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -130,10 +130,12 @@ kernel.randomize_va_space=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. -## This is disabled by default when using Linux kernel >= 6.2. ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## +## TODO: Debian 13 Trixie +## This is disabled by default when using Linux kernel >= 6.2. +## dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. @@ -146,6 +148,7 @@ dev.tty.legacy_tiocsti=0 ## https://github.com/moby/moby/pull/46762 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## kernel.io_uring_disabled=2