From 27b5767a9ebe609e84659eed250365c0a9bbbf71 Mon Sep 17 00:00:00 2001
From: hugbubby <hugbubby@protonmail.com>
Date: Mon, 21 May 2018 02:56:03 -0700
Subject: main/alpine-baselayout: sysctl security changes.

---
 main/alpine-baselayout/APKBUILD | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/main/alpine-baselayout/APKBUILD b/main/alpine-baselayout/APKBUILD
index 87229ccf70..2e1a8673a2 100644
--- a/main/alpine-baselayout/APKBUILD
+++ b/main/alpine-baselayout/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=alpine-baselayout
-pkgver=3.0.5
-pkgrel=3
+pkgver=3.0.6
+pkgrel=0
 pkgdesc="Alpine base dir structure and init scripts"
 url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
 arch="all"
@@ -145,11 +145,45 @@ package() {
 		# content of this file will override /etc/sysctl.d/*
 	EOF
 	cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF
+		# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
 		net.ipv4.tcp_syncookies = 1
+
+		# Prevents ip spoofing.
 		net.ipv4.conf.default.rp_filter = 1
 		net.ipv4.conf.all.rp_filter = 1
+
+		# Only groups within this id range can use ping.
 		net.ipv4.ping_group_range=999 59999
+
+		# Redirects can potentially be used to maliciously alter hosts
+		# routing tables.
+		net.ipv4.conf.all.accept_redirects = 0
+		net.ipv4.conf.all.secure_redirects = 1
+		net.ipv6.conf.all.accept_redirects = 0
+		net.ipv6.conf.all.secure_redirects = 1
+
+		# The source routing feature includes some known vulnerabilities.
+		net.ipv4.conf.all.accept_source_route = 0
+		net.ipv6.conf.all.accept_source-route = 0
+
+		# See RFC 1337
+		net.ipv4.tcp_rfc1337 = 1
+
+		## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
+		net.ipv6.conf.default.use_tempaddr = 2
+		net.ipv6.conf.all.use_tempaddr = 2
+
+		# Restarts computer after 120 seconds after kernel panic
 		kernel.panic = 120
+
+		## Disable magic-sysrq key
+		kernel.sysrq = 0
+
+		# Users should not be able to create soft or hard links to files
+		# which they do not own. This mitigates several privilege
+		# escalation vulnerabilities.
+		fs.protected_hardlinks = 1
+		fs.protected_symlinks = 1
 	EOF
 	cat > "$pkgdir"/etc/fstab <<-EOF
 		/dev/cdrom	/media/cdrom	iso9660	noauto,ro 0 0
-- 
cgit v1.2.3