mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
b2ba187738
- unprivileged bpf: we do not need this on our infra, we can assume bpf() calls will happen with CAP_SYS_ADMIN if required. - unprivileged userns: we do not need this on our infra for none of our services or similar. Reduce attack surface by a huge margin including most recent CVE-2020-14386. - kptr restrict: we already check for CAP_SYSLOG and real ids but we really do not require any specific kernel pointers to be logged. Settings this to 2 instead to blank out all kernel pointers to protect against info leak. - kexec: disable kexec as we do never want to kexec our running servers into something else. Settings this sysctl disables kexec even if its compiled into the kernel. - bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for the sacrifices off a bit performance for all users including privileged.
2 lines
37 B
Plaintext
2 lines
37 B
Plaintext
kernel.unprivileged_userns_clone = 0
|