summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2017-07-21 05:48:53 +0000
committerintrigeri <intrigeri@boum.org>2017-07-21 05:48:53 +0000
commit3ce9598de6fd4f76646c17a355213311418bbfc5 (patch)
tree5549c1c6e09935671ac79a59e8c848bd6bc310cb
parentf95ad1f91c6d4f57fd31f2f6586510caa28893df (diff)
Disable kexec, to make our attack surface a bit smaller.wip/feature/12732-linux-4.11
-rw-r--r--config/chroot_local-includes/etc/sysctl.d/kexec.conf1
-rw-r--r--wiki/src/contribute/design/kernel_hardening.mdwn4
2 files changed, 5 insertions, 0 deletions
diff --git a/config/chroot_local-includes/etc/sysctl.d/kexec.conf b/config/chroot_local-includes/etc/sysctl.d/kexec.conf
new file mode 100644
index 0000000..edfb725
--- /dev/null
+++ b/config/chroot_local-includes/etc/sysctl.d/kexec.conf
@@ -0,0 +1 @@
+kernel.kexec_load_disabled = 1
diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn
index 5be145b..3e19bc2 100644
--- a/wiki/src/contribute/design/kernel_hardening.mdwn
+++ b/wiki/src/contribute/design/kernel_hardening.mdwn
@@ -97,3 +97,7 @@ kernel address map from some external source. This is not hard, but
certainly not all malware has such functionality.
For this reason, we also make sure to purge `/boot/System.map`.
+
+### `kernel.kexec_load_disabled = 1`
+
+kexec is dangerous: it enables replacement of the running kernel.