Disable kexec, to make our attack surface a bit smaller.wip/feature/12732-linux-4.11

author: intrigeri <intrigeri@boum.org> 2017-07-21 05:48:53 +0000
committer: intrigeri <intrigeri@boum.org> 2017-07-21 05:48:53 +0000
commit: 3ce9598de6fd4f76646c17a355213311418bbfc5 (patch)
tree: 5549c1c6e09935671ac79a59e8c848bd6bc310cb
parent: f95ad1f91c6d4f57fd31f2f6586510caa28893df (diff)
2 files changed, 5 insertions, 0 deletions
diff --git a/config/chroot_local-includes/etc/sysctl.d/kexec.conf b/config/chroot_local-includes/etc/sysctl.d/kexec.conf
new file mode 100644
index 0000000..edfb725
--- /dev/null
+++ b/config/chroot_local-includes/etc/sysctl.d/kexec.conf
@@ -0,0 +1 @@
+kernel.kexec_load_disabled = 1
diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn
index 5be145b..3e19bc2 100644
--- a/wiki/src/contribute/design/kernel_hardening.mdwn
+++ b/wiki/src/contribute/design/kernel_hardening.mdwn
@@ -97,3 +97,7 @@ kernel address map from some external source. This is not hard, but
 certainly not all malware has such functionality.
 
 For this reason, we also make sure to purge `/boot/System.map`.
+
+### `kernel.kexec_load_disabled = 1`
+
+kexec is dangerous: it enables replacement of the running kernel.
author	intrigeri <intrigeri@boum.org>	2017-07-21 05:48:53 +0000
committer	intrigeri <intrigeri@boum.org>	2017-07-21 05:48:53 +0000
commit	3ce9598de6fd4f76646c17a355213311418bbfc5 (patch)
tree	5549c1c6e09935671ac79a59e8c848bd6bc310cb
parent	f95ad1f91c6d4f57fd31f2f6586510caa28893df (diff)