oniro-sysctl: Add project specific sysctl parameters

Closes: OSTC/planning/core-os#129
Signed-off-by: Pavel Zhukov <pavel@zhukoff.net>

meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl.bb

+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+SUMMARY = "Oniro project specific sysctl settings"
+SECTION = "base"
+DESCTIPTION = "This recipes provides a set of Oniro Project specific settings for the kernel hardening."
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+SRC_URI = 	" 				\
+		file://oniro-bpf.conf 		\
+		file://oniro-general.conf 	\
+		file://oniro-net-ipv4.conf 	\
+		file://oniro-net-ipv6.conf 	\
+		"
+inherit allarch
+
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+	install -d "${D}/${sysconfdir}/sysctl.d"
+	install -m 0644 "${WORKDIR}/oniro-general.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-net-ipv4.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-net-ipv6.conf" "${D}${sysconfdir}/sysctl.d/"
+	install -m 0644 "${WORKDIR}/oniro-bpf.conf" "${D}${sysconfdir}/sysctl.d/"
+}
+
+FILES_${PN} += "${sysconfdir}/sysctl.d/oniro-*"

meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-bpf.conf

+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Turn off unprivileged eBPF access.
+kernel.unprivileged_bpf_disabled = 1
+
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2

meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-general.conf

+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Try to keep kernel address exposures out of various /proc files 
+# (kallsyms, modules, etc). (There is no CONFIG for the changing the initial value.)
+kernel.kptr_restrict = 2
+
+# Block non-uid-0 profiling (needs distro patch, otherwise this is the same as "= 2")
+# https://lwn.net/Articles/696264/
+kernel.perf_event_paranoid = 3
+
+# Turn off kexec, even if it's built in.
+kernel.kexec_load_disabled = 1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
+# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
+user.max_user_namespaces = 0

meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv4.conf

+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Reverse Path Filtering
+net.ipv4.conf.all.rp_filter = 1
+
+# Do not accept ICMP redirect messages
+net.ipv4.conf.default.accept_redirects = 0
+
+# Do not accept packets with SRR option.
+net.ipv4.conf.default.accept_source_route = 0
+
+# Log packets with impossible addresses to kernel log
+net.ipv4.config.default.log_martians = 1

meta-oniro-core/recipes-core/oniro-sysctl/oniro-sysctl/oniro-net-ipv6.conf

+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Do not accept redirects
+net.ipv6.conf.all.accept_redirects  = 0
+net.ipv6.conf.default.accept_redirects = 0

meta-oniro-core/recipes-core/packagegroups/packagegroup-oniro-core.bb

@@ -10,4 +10,5 @@ PACKAGES = "packagegroup-oniro-core"
 
 RDEPENDS_packagegroup-oniro-core = "\
 	oniro-mounts \
+	oniro-sysctl \
 	"