webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Kernel: Block non-UID-0 profiling completely

Browse Source 
This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.

The second version of this patch rebases the kernel patch by Jeff
Vander Stoep against Linux 5.15.17 to avoid fuzzying.

Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This commit is contained in:
Peter Müller
2022-02-11 19:42:57 +00:00
parent 88a7b2d34b
commit 400c4e8edb
3 changed files with 81 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
config/etc/sysctl.conf
View File

@@ -101,3 +101,6 @@ net.ipv4.tcp_rfc1337 = 1
# Include PID in file names of generated core dumps
kernel.core_uses_pid = 1
# Block non-uid-0 profiling
kernel.perf_event_paranoid = 3