From 20ae7c7a60b3f31e8542de8171235c7a8c24a14a Mon Sep 17 00:00:00 2001
From: Tommaso Chiti <chitilivorno@gmail.com>
Date: Fri, 16 Apr 2021 15:02:34 +0200
Subject: [PATCH] Update easy-arch.sh

---
 easy-arch.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/easy-arch.sh b/easy-arch.sh
index 00f547c..6b308a2 100644
--- a/easy-arch.sh
+++ b/easy-arch.sh
@@ -152,6 +152,16 @@ cryptsetup -v luksAddKey /dev/disk/by-partlabel/Cryptroot /mnt/root/cryptroot.ke
 sed -i "s,quiet,quiet cryptdevice=UUID=$UUID:cryptroot root=$BTRFS cryptkey=rootfs:/root/cryptroot.keyfile,g" /mnt/etc/default/grub
 sed -i "s#FILES=()#FILES=(/root/cryptroot.keyfile)#g" /mnt/etc/mkinitcpio.conf
 
+#Security kernel settings
+echo "kernel.kptr_restrict = 2" > /mnt/etc/sysctl.d/51-kptr-restrict.conf
+echo "kernel.kexec_load_disabled = 1" > /mnt/etc/sysctl.d/51-kexec-restrict.conf
+cat << EOF >> /mnt/etc/sysctl.d/10-security.conf
+    fs.protected_hardlinks = 1
+    fs.protected_symlinks = 1
+    net.core.bpf_jit_harden = 2
+    kernel.yama.ptrace_scope = 3
+EOF
+
 # Configuring the system.    
 arch-chroot /mnt /bin/bash -e <<EOF