From 39f67d9d3897117ac3afcf40e2e2118fa8f46e22 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 31 Jul 2013 16:10:13 +0200
Subject: [PATCH] Hide kernel pointers for unprivileged users via kptr_restrict

---
 modules/config/sysctl.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/config/sysctl.nix b/modules/config/sysctl.nix
index b0f3708dbb24..6b52fd38fdec 100644
--- a/modules/config/sysctl.nix
+++ b/modules/config/sysctl.nix
@@ -60,6 +60,10 @@ in
     boot.kernel.sysctl."fs.protected_hardlinks" = true;
     boot.kernel.sysctl."fs.protected_symlinks" = true;
 
+    # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
+    # users as these make it easier to exploit kernel vulnerabilities.
+    boot.kernel.sysctl."kernel.kptr_restrict" = 1;
+
   };
 
 }