On 03/01/20 14:48, Toralf Förster wrote: > On 1/3/20 3:46 PM, Rich Freeman wrote: >> If OpenRC contains a vulnerability wouldn't it make more sense to set >> this as part of OpenRC, > Indeed. > > Furthermore there's a nifty page > https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings > which yields for me to this /etc/sysctl.d/local.conf : > > > # Restrict potential illegal access via links > # > fs.protected_hardlinks = 1 > fs.protected_symlinks = 1 > > # > # https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#CONFIGs > # > > # Try to keep kernel address exposures out of various /proc files (kallsyms, > modules, etc). > kernel.kptr_restrict = 1 > > # Avoid kernel memory address exposures via dmesg. > kernel.dmesg_restrict = 1 > > # Block non-uid-0 profiling (needs distro patch, otherwise this is the same > as "= 2") > kernel.perf_event_paranoid = 3 > > # Turn off kexec, even if it's built in. > kernel.kexec_load_disabled = 1 > > # Avoid non-ancestor ptrace access to running processes and their credentials. > kernel.yama.ptrace_scope = 1 > > # Disable User Namespaces, as it opens up a large attack surface to > unprivileged users. > user.max_user_namespaces = 0 > > # Turn off unprivileged eBPF access. > kernel.unprivileged_bpf_disabled = 1 > > # Turn on BPF JIT hardening, if the JIT is enabled. > net.core.bpf_jit_harden = 2 > > FWIW, there is a move to add further hardening options to the Gentoo-sources kernel - bug 689154, based on the kernsec recommendations. Further details of proposals, and inspiration, are in the bug.
signature.asc
Description: OpenPGP digital signature
