V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-23 08:19:05 +00:00
parent 1fdec4a6ef
commit a3dd0ac061
6 changed files with 28 additions and 8 deletions
--- a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
+++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
@@ -17,18 +17,22 @@
 # Purpose: Enforce early sysctls before services start.
 # Phase  : premount (executed by live-boot inside the initramfs).

+_SAVED_SET_OPTS="$(set +o)"
+
 set -eu

 printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m"

-#echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
-#echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
-#echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
-#echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
-#echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
-#echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
-#echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
-#echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
+echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
+echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
+echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
+echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
+echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
+echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
+
+eval "${_SAVED_SET_OPTS}"

 printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"