AtaraxiaDev/divestos-build
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
divestos-build/Patches/LineageOS-14.1/android_system_core/0001-Hardening.patch
Tad f5af24bbcb Fix patch authors
2017-05-29 20:38:31 -04:00

67 lines
2.6 KiB
Diff
Raw Blame History

From f744a5628bbc7c97065b9355282c97d4c4cb1d60 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Mon, 29 May 2017 20:13:03 -0400
Subject: [PATCH] Harden mounts and network
Change-Id: I56e8371048f83f429009c3024f8aff99c9952d9c
---
init/init.cpp | 6 +++---
rootdir/init.rc | 16 ++++++++++++++++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/init/init.cpp b/init/init.cpp
index 7a370596e..35bf44a7b 100755
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -579,10 +579,10 @@ int main(int argc, char** argv) {
mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
mkdir("/dev/pts", 0755);
mkdir("/dev/socket", 0755);
- mount("devpts", "/dev/pts", "devpts", 0, NULL);
+ mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL);
#define MAKE_STR(x) __STRING(x)
- mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
- mount("sysfs", "/sys", "sysfs", 0, NULL);
+ mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
+ mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL);
}
// We must have some place other than / to create the device nodes for
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 671c6b71f..a5da76318 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -126,6 +126,7 @@ on init
write /proc/sys/kernel/sched_child_runs_first 0
write /proc/sys/kernel/randomize_va_space 2
+ write /proc/sys/kernel/dmesg_restrict 1
write /proc/sys/kernel/kptr_restrict 2
write /proc/sys/vm/mmap_min_addr 32768
write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
@@ -144,6 +145,21 @@ on init
write /proc/sys/net/ipv4/conf/all/accept_redirects 0
write /proc/sys/net/ipv6/conf/all/accept_redirects 0
+ # IPv4 hardening
+ #
+ # reverse path filtering is done with netfilter for consistency with IPv6
+ write /proc/sys/net/ipv4/tcp_rfc1337 1
+ write /proc/sys/net/ipv4/conf/all/accept_source_route 0
+ write /proc/sys/net/ipv4/conf/default/accept_source_route 0
+ write /proc/sys/net/ipv4/conf/default/accept_redirects 0
+ write /proc/sys/net/ipv4/conf/all/send_redirects 0
+ write /proc/sys/net/ipv4/conf/default/send_redirects 0
+
+ # IPv6 hardening
+ write /proc/sys/net/ipv6/conf/default/accept_redirects 0
+ write /proc/sys/net/ipv6/conf/all/use_tempaddr 2
+ write /proc/sys/net/ipv6/conf/default/use_tempaddr 2
+
# Create cgroup mount points for process groups
mkdir /dev/cpuctl
mount cgroup none /dev/cpuctl cpu
--
2.13.0
Reference in New Issue View Git Blame Copy Permalink