AtaraxiaDev/divestos-build
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
divestos-build/Patches/Copperhead-13.0/android_system_core/3.patch
Tad c0083c1519 Initial commit, long overdue
2016-12-21 19:30:02 -05:00

36 lines
1.3 KiB
Diff
Raw Blame History

From eee064eb93d1ee3f1db56a9634015ba23e3b0e92 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 5 Feb 2015 20:33:17 -0500
Subject: [PATCH] tighten up kernel tcp/ip settings
---
rootdir/init.rc | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/rootdir/init.rc b/rootdir/init.rc
index b98443a..f30baf4 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -124,6 +124,21 @@ on init
write /proc/sys/net/ipv4/conf/all/accept_redirects 0
write /proc/sys/net/ipv6/conf/all/accept_redirects 0
+ # IPv4 hardening
+ #
+ # reverse path filtering is done with netfilter for consistency with IPv6
+ write /proc/sys/net/ipv4/tcp_rfc1337 1
+ write /proc/sys/net/ipv4/conf/all/accept_source_route 0
+ write /proc/sys/net/ipv4/conf/default/accept_source_route 0
+ write /proc/sys/net/ipv4/conf/default/accept_redirects 0
+ write /proc/sys/net/ipv4/conf/all/send_redirects 0
+ write /proc/sys/net/ipv4/conf/default/send_redirects 0
+
+ # IPv6 hardening
+ write /proc/sys/net/ipv6/conf/default/accept_redirects 0
+ write /proc/sys/net/ipv6/conf/all/use_tempaddr 2
+ write /proc/sys/net/ipv6/conf/default/use_tempaddr 2
+
# Create cgroup mount points for process groups
mkdir /dev/cpuctl
mount cgroup none /dev/cpuctl cpu
Reference in New Issue View Git Blame Copy Permalink