CISS.debian.live.builder/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl

#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh

# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# Module summary:
# - Runs during live-boot premount while the system is still inside the initramfs.
# - Applies early kernel hardening before the real root and regular services are active.
# - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
#   exposure where supported.

_SAVED_SET_OPTS="$(set +o)"

set -eu

printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"

echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true

eval "${_SAVED_SET_OPTS}"

printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh