From 740bbe5bc2d3254a0622acf59e5f44571dee860f Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 4 Sep 2022 23:51:52 -0400 Subject: [PATCH] Yama ptrace 2 Signed-off-by: Tommy --- Docker-Compose.yml | 2 +- Generic.yml | 2 +- GitLab.yml | 2 +- OnlyOffice.yml | 2 +- kargs | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Docker-Compose.yml b/Docker-Compose.yml index 169b6e6..fe35756 100644 --- a/Docker-Compose.yml +++ b/Docker-Compose.yml @@ -171,7 +171,7 @@ kernel_arguments: - sysctl.kernel.kptr_restrict=2 - sysctl.vm.mmap_rnd_bits=32 - sysctl.vm.mmap_rnd_compat_bits=16 - - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.kernel.yama.ptrace_scope=2 - sysctl.fs.suid_dumpable=0 - sysctl.kernel.randomize_va_space=2 - sysctl.net.ipv4.tcp_rfc1337=1 diff --git a/Generic.yml b/Generic.yml index 820d49f..6eb1c81 100644 --- a/Generic.yml +++ b/Generic.yml @@ -189,7 +189,7 @@ kernel_arguments: - sysctl.kernel.kptr_restrict=2 - sysctl.vm.mmap_rnd_bits=32 - sysctl.vm.mmap_rnd_compat_bits=16 - - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.kernel.yama.ptrace_scope=2 - sysctl.fs.suid_dumpable=0 - sysctl.kernel.randomize_va_space=2 - sysctl.net.ipv4.tcp_rfc1337=1 diff --git a/GitLab.yml b/GitLab.yml index 57c7b05..bce6e23 100644 --- a/GitLab.yml +++ b/GitLab.yml @@ -191,7 +191,7 @@ kernel_arguments: - sysctl.kernel.kptr_restrict=2 - sysctl.vm.mmap_rnd_bits=32 - sysctl.vm.mmap_rnd_compat_bits=16 - - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.kernel.yama.ptrace_scope=2 - sysctl.fs.suid_dumpable=0 - sysctl.kernel.randomize_va_space=2 - sysctl.net.ipv4.tcp_rfc1337=1 diff --git a/OnlyOffice.yml b/OnlyOffice.yml index a347eef..b9ffb21 100644 --- a/OnlyOffice.yml +++ b/OnlyOffice.yml @@ -190,7 +190,7 @@ kernel_arguments: - sysctl.kernel.kptr_restrict=2 - sysctl.vm.mmap_rnd_bits=32 - sysctl.vm.mmap_rnd_compat_bits=16 - - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.kernel.yama.ptrace_scope=2 - sysctl.fs.suid_dumpable=0 - sysctl.kernel.randomize_va_space=2 - sysctl.net.ipv4.tcp_rfc1337=1 diff --git a/kargs b/kargs index 4f03899..f156d2a 100644 --- a/kargs +++ b/kargs @@ -1 +1 @@ -spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off sysctl.kernel.dmesg_restrict=1 sysctl.fs.protected_fifos=2 sysctl.fs.protected_regular=2 sysctl.fs.protected_symlinks=1 sysctl.fs.protected_hardlinks=1 sysctl.net.core.bpf_jit_harden=2 sysctl.kernel.kexec_load_disabled=1 sysctl.kernel.kptr_restrict=2 sysctl.vm.mmap_rnd_bits=32 sysctl.vm.mmap_rnd_compat_bits=16 sysctl.kernel.yama.ptrace_scope=3 sysctl.fs.suid_dumpable=0 sysctl.kernel.randomize_va_space=2 sysctl.net.ipv4.tcp_rfc1337=1 sysctl.net.ipv4.conf.all.accept_redirects=0 sysctl.net.ipv4.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.secure_redirects=0 sysctl.net.ipv4.conf.default.secure_redirects=0 sysctl.net.ipv6.conf.all.accept_redirects=0 sysctl.net.ipv6.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.send_redirects=0 sysctl.net.ipv4.conf.default.send_redirects=0 sysctl.net.ipv4.icmp_echo_ignore_all=1 sysctl.net.ipv6.icmp.echo_ignore_all=1 sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl.net.ipv4.tcp_syncookies=1 sysctl.net.ipv4.conf.all.accept_source_route=0 sysctl.net.ipv4.conf.default.accept_source_route=0 sysctl.net.ipv6.conf.all.accept_source_route=0 sysctl.net.ipv6.conf.default.accept_source_route=0 sysctl.net.ipv4.conf.default.rp_filter=1 sysctl.net.ipv4.conf.all.rp_filter=1 sysctl.net.ipv4.tcp_timestamps=0 sysctl.kernel.sysrq=132 sysctl.dev.tty.ldisc_autoload=0 sysctl.vm.unprivileged_userfaultfd=0 sysctl.vm.swappiness=1 sysctl.kernel.perf_event_paranoid=3 sysctl.net.ipv6.conf.all.accept_ra=0 sysctl.net.ipv6.conf.default.accept_ra=0 \ No newline at end of file +spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=on iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off sysctl.kernel.dmesg_restrict=1 sysctl.fs.protected_fifos=2 sysctl.fs.protected_regular=2 sysctl.fs.protected_symlinks=1 sysctl.fs.protected_hardlinks=1 sysctl.net.core.bpf_jit_harden=2 sysctl.kernel.kexec_load_disabled=1 sysctl.kernel.kptr_restrict=2 sysctl.vm.mmap_rnd_bits=32 sysctl.vm.mmap_rnd_compat_bits=16 sysctl.kernel.yama.ptrace_scope=2 sysctl.fs.suid_dumpable=0 sysctl.kernel.randomize_va_space=2 sysctl.net.ipv4.tcp_rfc1337=1 sysctl.net.ipv4.conf.all.accept_redirects=0 sysctl.net.ipv4.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.secure_redirects=0 sysctl.net.ipv4.conf.default.secure_redirects=0 sysctl.net.ipv6.conf.all.accept_redirects=0 sysctl.net.ipv6.conf.default.accept_redirects=0 sysctl.net.ipv4.conf.all.send_redirects=0 sysctl.net.ipv4.conf.default.send_redirects=0 sysctl.net.ipv4.icmp_echo_ignore_all=1 sysctl.net.ipv6.icmp.echo_ignore_all=1 sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 sysctl.net.ipv4.tcp_syncookies=1 sysctl.net.ipv4.conf.all.accept_source_route=0 sysctl.net.ipv4.conf.default.accept_source_route=0 sysctl.net.ipv6.conf.all.accept_source_route=0 sysctl.net.ipv6.conf.default.accept_source_route=0 sysctl.net.ipv4.conf.default.rp_filter=1 sysctl.net.ipv4.conf.all.rp_filter=1 sysctl.net.ipv4.tcp_timestamps=0 sysctl.kernel.sysrq=132 sysctl.dev.tty.ldisc_autoload=0 sysctl.vm.unprivileged_userfaultfd=0 sysctl.vm.swappiness=1 sysctl.kernel.perf_event_paranoid=3 sysctl.net.ipv6.conf.all.accept_ra=0 sysctl.net.ipv6.conf.default.accept_ra=0 \ No newline at end of file