Compare commits

..

No commits in common. "5e8e28f33dacb4a8ca5bd87ec28795b63e671f1b" and "6d781b66a8e5118e8cbba4ac7bf9eaf807fda52d" have entirely different histories.

View File

@ -209,33 +209,6 @@ EOL"
isSuccessful "Updated the sysctl with Docker Rootless configuration"
fi
# Enabling unprivileged user namespaces (needed for rootless) widens the
# kernel attack surface reachable by unprivileged users. Offset that by
# closing the surfaces that local-privilege-escalation chains lean on:
# kptr_restrict hides kernel pointers (defeats info-leak primitives),
# ptrace_scope blocks cross-process ptrace (limits credential theft after
# a compromise), and bpf_jit_harden hardens the JIT against spraying.
# All three are distro-portable and have negligible runtime impact.
if ! grep -qF "# LIBREPORTAL KERNEL HARDENING START" "$sysctl"; then
local result=$(echo '# LIBREPORTAL KERNEL HARDENING START' | sudo tee -a "$sysctl" > /dev/null)
checkSuccess "Adding kernel hardening header to sysctl"
local result=$(echo 'kernel.kptr_restrict=2' | sudo tee -a "$sysctl" > /dev/null)
checkSuccess "Restricting kernel pointer exposure (kptr_restrict)"
local result=$(echo 'kernel.yama.ptrace_scope=1' | sudo tee -a "$sysctl" > /dev/null)
checkSuccess "Restricting cross-process ptrace (yama.ptrace_scope)"
local result=$(echo 'net.core.bpf_jit_harden=2' | sudo tee -a "$sysctl" > /dev/null)
checkSuccess "Hardening the BPF JIT (bpf_jit_harden)"
local result=$(echo '# LIBREPORTAL KERNEL HARDENING END' | sudo tee -a "$sysctl" > /dev/null)
checkSuccess "Adding kernel hardening end to sysctl"
isSuccessful "Applied kernel LPE-surface hardening"
fi
local result=$(sudo sysctl --system)
checkSuccess "Applying changes to sysctl"