hide kernel addresses in /proc

Make sure kernel address space is hidden from files somewhere in /proc . This reduces attack surface and partially addresses #11659. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-28 11:43:25 +02:00 · 2018-06-30 11:44:06 +02:00
parent a65d07ec6d
commit 373590b7c3
1 changed files with 6 additions and 0 deletions
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -42,3 +42,9 @@ net.netfilter.nf_conntrack_acct=1
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
+
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1