do not expose kernel address spaces even to privileged users

Change this setting from 1 to 2 so kernel addresses are not displayed even if a user has CAPS_SYSLOG privileges. See also: - https://lwn.net/Articles/420403/ - https://tails.boum.org/contribute/design/kernel_hardening/ Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-25 10:22:59 +02:00 · 2018-08-16 17:29:58 +02:00
parent 65ae069c21
commit d5fe332283
1 changed files with 1 additions and 1 deletions
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -44,7 +44,7 @@ net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2

 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1