Restrict access to debugfs

This commit is contained in:
madaidan 2020-09-28 19:21:20 +00:00
parent feb7cea4c5
commit 06ffd5d220
No known key found for this signature in database
GPG Key ID: CF52E4DE909EC236
2 changed files with 8 additions and 0 deletions

3
debian/control vendored
View File

@ -126,6 +126,9 @@ Description: enhances misc security settings
* Restricts loading line disciplines to `CAP_SYS_MODULE`.
.
* Restricts the `userfaultfd()` syscall to root.
.
* Access to debugfs is restricted as it can contain a lot of sensitive
information.
.
Improve Entropy Collection
.

View File

@ -66,3 +66,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0"
## Restrict access to debugfs since it can contain a lot of sensitive information.
## https://lkml.org/lkml/2020/7/16/122
## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"