revert some container related options

2022-09-18 23:22:27 +02:00 · 2022-09-18 23:22:27 +02:00 · b78a915858
parent ca27e64ad4
commit b78a915858
3 changed files with 4 additions and 12 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -6,6 +6,7 @@ kernel_disable_modules:
  - sctp
  - tipc
  - rds
+  - bluetooth

 kernel_blacklist_modules: []

--- a/templates/etc/sysctl.d/dump.conf.j2
+++ b/templates/etc/sysctl.d/dump.conf.j2
@ -2,5 +2,8 @@
 # Controls whether core dumps will append the PID to the core filename
 kernel.core_uses_pid = 1

+# Disable storing core dumps
+kernel.core_pattern = |/bin/false
+
 # Disable core dumps for setuid programs
 fs.suid_dumpable = 0
--- a/templates/etc/sysctl.d/local.conf.j2
+++ b/templates/etc/sysctl.d/local.conf.j2
@ -7,21 +7,9 @@ kernel.randomize_va_space = 2
 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0

-# Restrict unprivileged access to kernel syslog
-kernel.dmesg_restrict = 1
-
-# Restrict kernel address exposing
-kernel.kptr_restrict = 2
-
-# Limit scope for ptrace
-kernel.yama.ptrace_scope = 2
-
 # Command is trapped and sent to the init program to handle a graceful restart
 kernel.ctrl-alt-del = 0

-# Disable access to performance events by users without CAP_SYS_ADMIN
-kernel.perf_event_paranoid = 3
-
 # Prevents unprivileged users from being able to use eBPF
 kernel.unprivileged_bpf_disabled = 1