mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-07 04:24:10 +01:00
b2ba187738
- unprivileged bpf: we do not need this on our infra, we can assume bpf() calls will happen with CAP_SYS_ADMIN if required. - unprivileged userns: we do not need this on our infra for none of our services or similar. Reduce attack surface by a huge margin including most recent CVE-2020-14386. - kptr restrict: we already check for CAP_SYSLOG and real ids but we really do not require any specific kernel pointers to be logged. Settings this to 2 instead to blank out all kernel pointers to protect against info leak. - kexec: disable kexec as we do never want to kexec our running servers into something else. Settings this sysctl disables kexec even if its compiled into the kernel. - bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for the sacrifices off a bit performance for all users including privileged. |
||
|---|---|---|
| .. | ||
| 50-bpf_jit_harden.conf | ||
| 50-dmesg-restrict.conf | ||
| 50-kexec_load_disabled.conf | ||
| 50-kptr-restrict.conf | ||
| 50-lockdown.conf | ||
| 50-ptrace-restrict.conf | ||
| 50-unprivileged_bpf_disabled.conf | ||
| 50-unprivileged_userns_clone.conf | ||