Merge pull request #12 from k4yt3x/1.7

1.7
k4yt3x · Aug 4, 2022 · 0b3910d · 0b3910d
2 parents 7131835 + 7f44c4c
commit 0b3910d
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/sysctl.conf b/sysctl.conf
@@ -2,12 +2,14 @@
 # Author: K4YT3X
 # Contributor: IceCodeNew
 # Contributor: HorlogeSkynet
+# Contributor: shenzhui007
+# Contributor: HorlogeSkynet
 # Date Created: October 5, 2020
-# Last Updated: October 15, 2021
+# Last Updated: August 4, 2022
 
 # Licensed under the GNU General Public License Version 3 (GNU GPL v3),
 #   available at: https://www.gnu.org/licenses/gpl-3.0.txt
-# (C) 2020-2021 K4YT3X
+# (C) 2020-2022 K4YT3X
 
 # Multiple sources have been consulted while writing this configuration
 #  file (e.g., nixCraft's sysctl.conf). Sources are not cited since this
@@ -69,6 +71,9 @@ kernel.perf_event_paranoid = 3
 kernel.perf_cpu_time_max_percent = 1
 kernel.perf_event_max_sample_rate = 1
 
+# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
+dev.tty.ldisc_autoload = 0
+
 ########## File System ##########
 
 # disallow core dumping by SUID/SGID programs
@@ -110,9 +115,13 @@ fs.inotify.max_user_watches = 524288
 # do not allow mmap in lower addresses
 vm.mmap_min_addr = 65536
 
-# improve mmap ASLR effectness
-vm.mmap_rnd_bits=32
-vm.mmap_rnd_compat_bits=16
+# improve mmap ASLR effectiveness
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# prevent unprivileged users from accessing userfaultfd
+# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability
+vm.unprivileged_userfaultfd = 0
 
 ########## Networking ##########