From a8fa975f9fb60752eb5d03bc2c19132141d651e9 Mon Sep 17 00:00:00 2001
From: Andrea Brancaleoni <abc@pompel.me>
Date: Mon, 12 Dec 2016 01:22:17 +0100
Subject: [PATCH] base-files: kernel hardening

---
 srcpkgs/base-files/files/sysctl.conf | 15 +++++++++++++++
 srcpkgs/base-files/template          |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/base-files/files/sysctl.conf b/srcpkgs/base-files/files/sysctl.conf
index 5a8442f925c..540bffbef9e 100644
--- a/srcpkgs/base-files/files/sysctl.conf
+++ b/srcpkgs/base-files/files/sysctl.conf
@@ -4,3 +4,18 @@ kernel.core_uses_pid = 1
 # Enable hard and soft link protection
 fs.protected_hardlinks=1
 fs.protected_symlinks=1
+
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict=1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict=1
+
+# Block non-uid-0 kernel profiling
+kernel.perf_event_paranoid=2
+
+# Turn off kexec, even if it's built in.
+kernel.kexec_load_disabled=1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope=1
diff --git a/srcpkgs/base-files/template b/srcpkgs/base-files/template
index c9e1a7ca6db..78cae33ff23 100644
--- a/srcpkgs/base-files/template
+++ b/srcpkgs/base-files/template
@@ -1,7 +1,7 @@
 # Template file for 'base-files'
 pkgname=base-files
 version=0.139
-revision=4
+revision=5
 bootstrap=yes
 depends="xbps-triggers"
 short_desc="Void Linux base system files"