Marc S. Weidner
ea7dd1e71d
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m2s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
40 lines
1.6 KiB
Bash
40 lines
1.6 KiB
Bash
#!/bin/sh
|
|
# bashsupport disable=BP5007
|
|
# shellcheck disable=SC2249
|
|
# shellcheck shell=sh
|
|
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
# Purpose: Enforce early sysctls before services start.
|
|
# Phase : premount (executed by live-boot inside the initramfs).
|
|
|
|
_SAVED_SET_OPTS="$(set +o)"
|
|
|
|
set -eu
|
|
|
|
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
|
|
|
|
echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
|
|
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
|
|
echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
|
|
echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
|
|
echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
|
|
echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
|
|
echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
|
|
echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
|
|
|
|
eval "${_SAVED_SET_OPTS}"
|
|
|
|
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|