Merge remote-tracking branch 'origin/master'

2024-12-25 18:19:25 -05:00 · 2020-03-11 09:08:41 -04:00 · 2020-03-11 09:08:41 -04:00 · e6e7886a6e
commit e6e7886a6e
parent 04a87f7029 711e786be5
2 changed files with 4 additions and 5 deletions
--- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
+++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
@ -15,7 +15,8 @@ prereqs)
        ;;
 esac

-sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null
-sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null
+sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log
+sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log
+grep -v "unprivileged_userfaultfd" /var/log/sysctl-initramfs-error.log

 true
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@ -134,10 +134,8 @@ kernel.sysrq=132
 ## https://lkml.org/lkml/2019/4/15/890
 dev.tty.ldisc_autoload=0

-## Disable for now.
-## https://forums.whonix.org/t/kernel-hardening/7296/406
 ## Restrict the userfaultfd() syscall to root as it can make heap sprays
 ## easier.
 ##
 ## https://duasynt.com/blog/linux-kernel-heap-spray
-#vm.unprivileged_userfaultfd=0
+vm.unprivileged_userfaultfd=0