26 lines
1.2 KiB
Plaintext
26 lines
1.2 KiB
Plaintext
# These settings are specific to hardening the kernel itself from attack
|
|
# from userspace, rather than protecting userspace from other malicious
|
|
# userspace things.
|
|
#
|
|
#
|
|
# When an attacker is trying to exploit the local kernel, it is often
|
|
# helpful to be able to examine where in memory the kernel, modules,
|
|
# and data structures live. As such, kernel addresses should be treated
|
|
# as sensitive information.
|
|
#
|
|
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
|
|
# /proc/modules, etc), and this setting can censor the addresses. A value
|
|
# of "0" allows all users to see the kernel addresses. A value of "1"
|
|
# limits visibility to the root user, and "2" blocks even the root user.
|
|
kernel.kptr_restrict = 1
|
|
|
|
# Access to the kernel log buffer can be especially useful for an attacker
|
|
# attempting to exploit the local kernel, as kernel addresses and detailed
|
|
# call traces are frequently found in kernel oops messages. Setting
|
|
# dmesg_restrict to "0" allows all users to view the kernel log buffer,
|
|
# and setting it to "1" restricts access to those with CAP_SYSLOG.
|
|
#
|
|
# dmesg_restrict defaults to 1 via CONFIG_SECURITY_DMESG_RESTRICT, only
|
|
# uncomment the following line to disable.
|
|
# kernel.dmesg_restrict = 0
|