Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-08 08:27:54 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add some notices for future Debian 13 rebase

Browse Source
This commit is contained in:
Raja Grewal 2024-08-09 13:33:32 +10:00
parent 0b0683499a
commit d8bcec881f
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -172,6 +172,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## ##
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
## ##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
## ##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"

5
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -130,10 +130,12 @@ kernel.randomize_va_space=2
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Can lead to privilege escalation by pushing characters into a controlling TTY.
## Will break out-dated screen readers that continue to rely on this legacy functionality. ## Will break out-dated screen readers that continue to rely on this legacy functionality.
## This is disabled by default when using Linux kernel >= 6.2.
## ##
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
## ##
## TODO: Debian 13 Trixie
## This is disabled by default when using Linux kernel >= 6.2.
##
dev.tty.legacy_tiocsti=0 dev.tty.legacy_tiocsti=0
## Disable asynchronous I/O for all processes. ## Disable asynchronous I/O for all processes.
@ -146,6 +148,7 @@ dev.tty.legacy_tiocsti=0
## https://github.com/moby/moby/pull/46762 ## https://github.com/moby/moby/pull/46762
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
## ##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
## ##
kernel.io_uring_disabled=2 kernel.io_uring_disabled=2