mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-11 15:54:22 -05:00
b7c52800f4
renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf
17 lines
1.1 KiB
Plaintext
17 lines
1.1 KiB
Plaintext
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
|
|
##
|
|
## kexec_load_disabled:
|
|
##
|
|
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
|
|
## Disables kexec which can be used to replace the running kernel.
|
|
kernel.kexec_load_disabled=1
|
|
|
|
## Why is this in a dedicated config file?
|
|
## Package ram-wipe requires kexec. However, ram-wipe could not ship a config
|
|
## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'.
|
|
## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1'
|
|
## it cannot be undone without reboot. This is a upstream Linux security feature.
|