diff options
author | kwadronaut <kwadronaut@autistici.org> | 2022-07-05 11:41:18 +0200 |
---|---|---|
committer | kwadronaut <kwadronaut@autistici.org> | 2022-07-05 11:41:18 +0200 |
commit | 9e6165f16e14898a28eadb1679b0c41ddb1f9f45 (patch) | |
tree | 163276de873252fa0a4527fcc8be1bef2781ceb0 | |
parent | a13d6e7f190078c330b8aeaf574af5de5c25cad7 (diff) |
Dont deactivate non-existing kernel module
kernel.unprivileged_userns_clone doesn't exist in some cloud providers
or non-debian kernels. I'm not entirely sure if it's best to add it this
way, testing if /proc/sys/kernel/unprivileged_userns_clone exists could
be another way.
-rw-r--r-- | float/roles/float-base/templates/sysctl.conf.j2 | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/float/roles/float-base/templates/sysctl.conf.j2 b/float/roles/float-base/templates/sysctl.conf.j2 index 2a443ea..c28c31e 100644 --- a/float/roles/float-base/templates/sysctl.conf.j2 +++ b/float/roles/float-base/templates/sysctl.conf.j2 @@ -116,10 +116,12 @@ net.core.bpf_jit_harden=2 kernel.unprivileged_bpf_disabled=1 {% endif %} +{% if not disable_restricted_sysctl %} # Disable unprivileged user namespaces # https://lwn.net/Articles/673597 # (linux-hardened default) kernel.unprivileged_userns_clone=0 +{% endif %} # Enable yama ptrace restrictions # https://www.kernel.org/doc/Documentation/security/Yama.txt |