harden(rootless): offset userns surface with kptr/ptrace/bpf-jit sysctls
Enabling unprivileged user namespaces for rootless widens the kernel attack surface reachable by unprivileged users (a known source of LPE CVEs). Pair it with three distro-portable, low-impact sysctls that close the surfaces those exploit chains rely on: kernel.kptr_restrict=2 (hide kernel pointers), kernel.yama.ptrace_scope=1 (block cross-process ptrace), net.core.bpf_jit_harden=2 (harden the JIT). Added as a separate guarded LIBREPORTAL KERNEL HARDENING block so it's clearly deliberate and independently idempotent. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
6d781b66a8
commit
0bf9c41c51
@ -209,6 +209,33 @@ EOL"
|
||||
isSuccessful "Updated the sysctl with Docker Rootless configuration"
|
||||
fi
|
||||
|
||||
# Enabling unprivileged user namespaces (needed for rootless) widens the
|
||||
# kernel attack surface reachable by unprivileged users. Offset that by
|
||||
# closing the surfaces that local-privilege-escalation chains lean on:
|
||||
# kptr_restrict hides kernel pointers (defeats info-leak primitives),
|
||||
# ptrace_scope blocks cross-process ptrace (limits credential theft after
|
||||
# a compromise), and bpf_jit_harden hardens the JIT against spraying.
|
||||
# All three are distro-portable and have negligible runtime impact.
|
||||
if ! grep -qF "# LIBREPORTAL KERNEL HARDENING START" "$sysctl"; then
|
||||
|
||||
local result=$(echo '# LIBREPORTAL KERNEL HARDENING START' | sudo tee -a "$sysctl" > /dev/null)
|
||||
checkSuccess "Adding kernel hardening header to sysctl"
|
||||
|
||||
local result=$(echo 'kernel.kptr_restrict=2' | sudo tee -a "$sysctl" > /dev/null)
|
||||
checkSuccess "Restricting kernel pointer exposure (kptr_restrict)"
|
||||
|
||||
local result=$(echo 'kernel.yama.ptrace_scope=1' | sudo tee -a "$sysctl" > /dev/null)
|
||||
checkSuccess "Restricting cross-process ptrace (yama.ptrace_scope)"
|
||||
|
||||
local result=$(echo 'net.core.bpf_jit_harden=2' | sudo tee -a "$sysctl" > /dev/null)
|
||||
checkSuccess "Hardening the BPF JIT (bpf_jit_harden)"
|
||||
|
||||
local result=$(echo '# LIBREPORTAL KERNEL HARDENING END' | sudo tee -a "$sysctl" > /dev/null)
|
||||
checkSuccess "Adding kernel hardening end to sysctl"
|
||||
|
||||
isSuccessful "Applied kernel LPE-surface hardening"
|
||||
fi
|
||||
|
||||
local result=$(sudo sysctl --system)
|
||||
checkSuccess "Applying changes to sysctl"
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user