Merge pull request #268 from raja-grewal/panic_on_warn

Enable `panic_on_warn=1`
Kicksecure · Sep 4, 2024 · 175945e · 175945e
2 parents b0a8544 + 3101035
commit 175945e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -43,9 +43,10 @@ Kernel space:
 
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
-- Force the kernel to panic on "oopses" that can potentially indicate and thwart
-  certain kernel exploitation attempts. Optional - Force immediate reboot on the
-  occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2).
+- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
+  certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
+  Optional - Force immediate reboot on the occurrence of a single kernel panic and also
+  (when using Linux kernel >= 6.2) limit the number of allowed panics to one.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 

diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops
@@ -12,12 +12,12 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
    source /usr/libexec/helper-scripts/pre.bsh
 fi
 
-## Makes the kernel panic on oopses. This prevents the kernel
-## from continuing to run a flawed processes. Many kernel exploits
-## will also cause an oops which this will make the kernel kill
-## the offending processes.
+## Makes the kernel panic on oopses and warnings. This prevents the
+## kernel from continuing to run a flawed processes. Many kernel
+## exploits will also cause an oops, these settings will make the
+## kernel kill the offending processes.
 #sysctl kernel.panic=-1
 sysctl kernel.panic_on_oops=1
-#sysctl kernel.panic_on_warn=1
+sysctl kernel.panic_on_warn=1
 #sysctl kernel.oops_limit=1
 #sysctl kernel.warn_limit=1