Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 17:26:19 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add docs relating to panic on OOM

Browse source
This commit is contained in:
raja-grewal 2025-10-13 02:08:44 +00:00 committed by GitHub
parent 9db63d9777
commit f690b58870
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of denial of service attacks and both cold and warm boot attacks. risk and impact of denial of service attacks and both cold and warm boot attacks.
- Force immediate kernel panic on OOM. This is to avoid security features such as the screen - Force immediate kernel panic on OOM (out of memory) which the above setting will force
locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts an immediate system reboot, as opposed to placing any reliance on the oom_killer to
running out of memory. avoid arbitrarily terminating security features based on their OOM score. Note this creates
the risk of userspace-based denial of service attacks that maliciously fill memory.
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

13
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -199,11 +199,18 @@ kernel.perf_event_paranoid=3
## ##
#kernel.panic=-1 #kernel.panic=-1
## Force immediate kernel panic on OOM. ## Force immediate kernel panic on OOM (out of memory) scenarios.
## This is to avoid security features such as the screen locker, kloak, emerg-shutdown ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score.
## from being arbitrarily terminated when the system starts running out of memory. ## Note that this must be used with kernel.panic=-1 for it to be function as intended.
## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated.
## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory.
## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer.
##
## https://en.wikipedia.org/wiki/Out_of_memory
## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14
## https://github.com/KSPP/kspp.github.io/issues/9
## https://github.com/Kicksecure/security-misc/issues/324 ## https://github.com/Kicksecure/security-misc/issues/324
##
vm.panic_on_oom=2 vm.panic_on_oom=2
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.