aboutsummaryrefslogtreecommitdiffstats
path: root/main/alpine-baselayout/APKBUILD
diff options
context:
space:
mode:
authorhugbubby <hugbubby@protonmail.com>2018-05-21 02:56:03 -0700
committerNatanael Copa <ncopa@alpinelinux.org>2018-06-06 17:49:51 +0000
commit27b5767a9ebe609e84659eed250365c0a9bbbf71 (patch)
tree18ac21cd042f347939a01e584489d8a32c251d7b /main/alpine-baselayout/APKBUILD
parent30ada7ffb6dae9e62026afbc3a54013fc67c4f40 (diff)
downloadaports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.bz2
aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.xz
main/alpine-baselayout: sysctl security changes.
Diffstat (limited to 'main/alpine-baselayout/APKBUILD')
-rw-r--r--main/alpine-baselayout/APKBUILD38
1 files changed, 36 insertions, 2 deletions
diff --git a/main/alpine-baselayout/APKBUILD b/main/alpine-baselayout/APKBUILD
index 87229ccf70..2e1a8673a2 100644
--- a/main/alpine-baselayout/APKBUILD
+++ b/main/alpine-baselayout/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-baselayout
-pkgver=3.0.5
-pkgrel=3
+pkgver=3.0.6
+pkgrel=0
pkgdesc="Alpine base dir structure and init scripts"
url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
arch="all"
@@ -145,11 +145,45 @@ package() {
# content of this file will override /etc/sysctl.d/*
EOF
cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF
+ # Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
net.ipv4.tcp_syncookies = 1
+
+ # Prevents ip spoofing.
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
+
+ # Only groups within this id range can use ping.
net.ipv4.ping_group_range=999 59999
+
+ # Redirects can potentially be used to maliciously alter hosts
+ # routing tables.
+ net.ipv4.conf.all.accept_redirects = 0
+ net.ipv4.conf.all.secure_redirects = 1
+ net.ipv6.conf.all.accept_redirects = 0
+ net.ipv6.conf.all.secure_redirects = 1
+
+ # The source routing feature includes some known vulnerabilities.
+ net.ipv4.conf.all.accept_source_route = 0
+ net.ipv6.conf.all.accept_source-route = 0
+
+ # See RFC 1337
+ net.ipv4.tcp_rfc1337 = 1
+
+ ## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
+ net.ipv6.conf.default.use_tempaddr = 2
+ net.ipv6.conf.all.use_tempaddr = 2
+
+ # Restarts computer after 120 seconds after kernel panic
kernel.panic = 120
+
+ ## Disable magic-sysrq key
+ kernel.sysrq = 0
+
+ # Users should not be able to create soft or hard links to files
+ # which they do not own. This mitigates several privilege
+ # escalation vulnerabilities.
+ fs.protected_hardlinks = 1
+ fs.protected_symlinks = 1
EOF
cat > "$pkgdir"/etc/fstab <<-EOF
/dev/cdrom /media/cdrom iso9660 noauto,ro 0 0