Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server: rename files

https://github.com/Kicksecure/security-misc/issues/187
2025-11-25 22:18:33 -05:00 · 2025-09-17 14:49:28 -04:00 · 2025-09-17 14:49:28 -04:00 · f70550d015
commit f70550d015
parent 2de10d5b7b
132 changed files with 35 additions and 0 deletions
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared
@ -0,0 +1,26 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## NOTE:
+## This configuration is in a dedicated file because the ram-wipe package
+## requires kexec. However, ram-wipe cannot ship a config file
+## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'.
+## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1',
+## it cannot be undone without a reboot. This is an upstream Linux security feature.
+## Instead, ram-wipe will config-package-dev 'hide' this file.
+
+## Disables kexec, which can be used to replace the running kernel.
+## Useful for live kernel patching without rebooting.
+##
+## https://en.wikipedia.org/wiki/Kexec
+##
+## KSPP=yes
+## KSPP sets the sysctl and does not set CONFIG_KEXEC.
+##
+kernel.kexec_load_disabled=1