matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mitigate CVE-2018-5391 by sysctl (#1948)

Browse Source 
Signed-off-by: Qi Luo <qiluo-msft@users.noreply.github.com>
This commit is contained in:
Qi Luo 2018-08-19 14:36:25 -07:00 committed by lguohan
parent cd8f6c8195
commit 275b583c1c
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
build_debian.sh
View File

@ -272,6 +272,7 @@ check system $HOST
EOF EOF
## Config sysctl ## Config sysctl
## TODO: ipfrag* are for mitigating CVE-2018-5391, remove after kernel upgraded
sudo mkdir -p $FILESYSTEM_ROOT/var/core sudo mkdir -p $FILESYSTEM_ROOT/var/core
sudo augtool --autosave " sudo augtool --autosave "
set /files/etc/sysctl.conf/kernel.core_pattern '|/usr/bin/coredump-compress %e %t %p' set /files/etc/sysctl.conf/kernel.core_pattern '|/usr/bin/coredump-compress %e %t %p'
@ -309,6 +310,9 @@ set /files/etc/sysctl.conf/net.ipv6.conf.eth0.accept_ra_defrtr 0
set /files/etc/sysctl.conf/net.core.rmem_max 2097152 set /files/etc/sysctl.conf/net.core.rmem_max 2097152
set /files/etc/sysctl.conf/net.core.wmem_max 2097152 set /files/etc/sysctl.conf/net.core.wmem_max 2097152
set /files/etc/sysctl.conf/net.ipv4.ipfrag_high_thresh 262144
set /files/etc/sysctl.conf/net.ipv4.ipfrag_low_thresh 196608
" -r $FILESYSTEM_ROOT " -r $FILESYSTEM_ROOT
## docker-py is needed by Ansible docker module ## docker-py is needed by Ansible docker module