Does anyone happen to know if there is any way to set sysctl in kernel lockdown mode?
I’m not looking to do it while the system is running so much as to in some way set my own default settings. Using sysctl.d files doesn’t work. I’m guessing “maybe” with kernel cmdline options using ‘sysctl.’ that was added but I’m not sure of the limitations as its borderline not documented.
What kind of documentation have you already read till now?
Was there any difficulty understanding them, so we may help on this?
Do you want someone to tell you exactly what to do?
For someone to give the proper advice, he has to know what you are trying to protect exactly. Security is a very wide and delicate subject.
Unless I misunderstood your question, so please explain better.
So this issue isnt security as much as finding a way to work with the security feature. Lockdown prevents access to a lot of the sysctl parameters as it prevents root and userspace from accessing them during runtime.
The only documentation i know of for setting sysctl via kernel cmdline is that you can and it doesnt allow things like swappiness
here https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
sysctl.*= [KNL]
Set a sysctl parameter, right before loading the init
process, as if the value was written to the respective
/proc/sys/... file. Both '.' and '/' are recognized as
separators. Unrecognized parameters and invalid values
are reported in the kernel log. Sysctls registered
later by a loaded module cannot be set this way.
Example: sysctl.vm.swappiness=40
Im trying to avoid having to build a custom kernel for CFS tweaks, which without lockdown mode you can do with sysctl. Im just looking to see if anyone knows any sort of work around to set sysctl parameters when the kernel is initialized vs from userspace/with root to maintain the lockdown state AND get the settings i want. Im also encountering the issue that i cant really check if its working or not as i cant read out the values lol
There isnt a ton i can find on working with lockdown mode just what it does and how to enable it.
ok, looks like CFS Scheduler tunables got moved to /sys/kernel/debug/sched/ with kernel 5.13 which means you cant set them with syctl anyway lol
Is the Book not enough?
Unfortunately no, that covers what lockdown mode is and how to enable it. Its just the same info I have already.
I wasn’t having trouble with enabling or disabling lockdown. I was trying to find a way to write sysctl values that no longer exist while being in lockdown. I solved the issue by discovering that fact lol 
The moving of those values to a different location I think has complete prevented me being able to even do those tweaks due to the directory being protected and no other real way to write to it. I don’t believe what I want is possible without a custom kernel and a lot of self signing modules and such.
I appreciate the attempt at help but I think there might be some slight misunderstanding exactly my issue 
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.