diff --git a/scripts/docker/install/rootless/rootless_docker.sh b/scripts/docker/install/rootless/rootless_docker.sh index 0f1c3de..a44cb29 100755 --- a/scripts/docker/install/rootless/rootless_docker.sh +++ b/scripts/docker/install/rootless/rootless_docker.sh @@ -209,6 +209,33 @@ EOL" isSuccessful "Updated the sysctl with Docker Rootless configuration" fi + # Enabling unprivileged user namespaces (needed for rootless) widens the + # kernel attack surface reachable by unprivileged users. Offset that by + # closing the surfaces that local-privilege-escalation chains lean on: + # kptr_restrict hides kernel pointers (defeats info-leak primitives), + # ptrace_scope blocks cross-process ptrace (limits credential theft after + # a compromise), and bpf_jit_harden hardens the JIT against spraying. + # All three are distro-portable and have negligible runtime impact. + if ! grep -qF "# LIBREPORTAL KERNEL HARDENING START" "$sysctl"; then + + local result=$(echo '# LIBREPORTAL KERNEL HARDENING START' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Adding kernel hardening header to sysctl" + + local result=$(echo 'kernel.kptr_restrict=2' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Restricting kernel pointer exposure (kptr_restrict)" + + local result=$(echo 'kernel.yama.ptrace_scope=1' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Restricting cross-process ptrace (yama.ptrace_scope)" + + local result=$(echo 'net.core.bpf_jit_harden=2' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Hardening the BPF JIT (bpf_jit_harden)" + + local result=$(echo '# LIBREPORTAL KERNEL HARDENING END' | sudo tee -a "$sysctl" > /dev/null) + checkSuccess "Adding kernel hardening end to sysctl" + + isSuccessful "Applied kernel LPE-surface hardening" + fi + local result=$(sudo sysctl --system) checkSuccess "Applying changes to sysctl"