Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 17:26:19 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add docs relating to panic on OOM

Browse source
This commit is contained in:
raja-grewal 2025-10-13 02:08:44 +00:00 committed by GitHub
parent 9db63d9777
commit f690b58870
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component
- Force immediate system reboot on the occurrence of a single kernel panic, reducing the
risk and impact of denial of service attacks and both cold and warm boot attacks.
- Force immediate kernel panic on OOM. This is to avoid security features such as the screen
locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts
running out of memory.
- Force immediate kernel panic on OOM (out of memory) which the above setting will force
an immediate system reboot, as opposed to placing any reliance on the oom_killer to
avoid arbitrarily terminating security features based on their OOM score. Note this creates
the risk of userspace-based denial of service attacks that maliciously fill memory.
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

13
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -199,11 +199,18 @@ kernel.perf_event_paranoid=3
##
#kernel.panic=-1
## Force immediate kernel panic on OOM.
## This is to avoid security features such as the screen locker, kloak, emerg-shutdown
## from being arbitrarily terminated when the system starts running out of memory.
## Force immediate kernel panic on OOM (out of memory) scenarios.
## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score.
## Note that this must be used with kernel.panic=-1 for it to be function as intended.
## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated.
## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory.
## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer.
##
## https://en.wikipedia.org/wiki/Out_of_memory
## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14
## https://github.com/KSPP/kspp.github.io/issues/9
## https://github.com/Kicksecure/security-misc/issues/324
##
vm.panic_on_oom=2
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.