057bedb65b
- 14.1+15.1+16.0: enable kernel protections for files - protected_*: hardlinks, symlinks, fifos, regular - from GrapheneOS - defconfig: enable more verity options - cleanup
52 lines
2.0 KiB
Diff
52 lines
2.0 KiB
Diff
From 22342a49f43d2d7613d12603ec99d75dc2ceb6eb Mon Sep 17 00:00:00 2001
|
|
From: Daniel Micay <danielmicay@gmail.com>
|
|
Date: Wed, 28 Jun 2017 07:54:49 -0400
|
|
Subject: [PATCH] Harden
|
|
|
|
Change-Id: I46e3fc4ac896a509ab8ca90ae4ce09b820da434b
|
|
---
|
|
init/init.cpp | 6 +++---
|
|
rootdir/init.rc | 8 ++++++++
|
|
2 files changed, 11 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/init/init.cpp b/init/init.cpp
|
|
index 7a370596e..35bf44a7b 100755
|
|
--- a/init/init.cpp
|
|
+++ b/init/init.cpp
|
|
@@ -579,10 +579,10 @@ int main(int argc, char** argv) {
|
|
mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
|
|
mkdir("/dev/pts", 0755);
|
|
mkdir("/dev/socket", 0755);
|
|
- mount("devpts", "/dev/pts", "devpts", 0, NULL);
|
|
+ mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL);
|
|
#define MAKE_STR(x) __STRING(x)
|
|
- mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
|
|
- mount("sysfs", "/sys", "sysfs", 0, NULL);
|
|
+ mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
|
|
+ mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
|
|
}
|
|
|
|
// We must have some place other than / to create the device nodes for
|
|
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
|
index 498203c83..4875ff54b 100644
|
|
--- a/rootdir/init.rc
|
|
+++ b/rootdir/init.rc
|
|
@@ -126,6 +126,14 @@ on init
|
|
write /proc/sys/kernel/sched_child_runs_first 0
|
|
|
|
write /proc/sys/kernel/randomize_va_space 2
|
|
+ write /proc/sys/fs/protected_hardlinks 1
|
|
+ write /proc/sys/fs/protected_symlinks 1
|
|
+ write /proc/sys/fs/protected_fifos 1
|
|
+ write /proc/sys/fs/protected_regular 1
|
|
+ write /proc/sys/net/ipv4/tcp_sack 0
|
|
+ write /proc/sys/net/ipv6/conf/all/use_tempaddr 2
|
|
+ write /proc/sys/net/ipv6/conf/default/use_tempaddr 2
|
|
+ write /proc/sys/kernel/dmesg_restrict 1
|
|
write /proc/sys/kernel/kptr_restrict 2
|
|
write /proc/sys/vm/mmap_min_addr 32768
|
|
write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
|
|
--
|
|
2.21.0
|
|
|