Sample Header Ad - 728x90

Disable sysrq f (OOM-killer) but leave other sysrq keys operational

2 votes
1 answer
1041 views
out-of-memory magic-sysrq
I was following a guide for automatically decrypting the hard drive on boot, using self-generated keys, and tpm2 variables, and near the end it makes this point that seems to make sense: https://blastrock.github.io/fde-tpm-sb.html#disable-the-magic-sysrq-key > The magic SysRq key allows running some special kernel actions. The most dangerous ones are disabled by default, and you should keep them that way for maximum security. > > For example, one of them (f) will invoke the OOM-killer. This function could kill your lockscreen, giving full access to your desktop to a malicious user. The problem is that I only found how to disable **all** sysrq keys, e.g. https://askubuntu.com/questions/911522/how-can-i-enable-the-magic-sysrq-key-on-ubuntu-desktop or https://askubuntu.com/questions/11002/alt-sysrq-reisub-doesnt-reboot-my-laptop , using something adding a /etc/sysctl.d/90-sysrq.conf file with this line: 
kernel.sysrq=1
I would like if possible to be able to use all the other keys e.g. REISUB in case the system crashes, and only have the F key disabled. I also found this article https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html , that mentions adding a bitmask like: 
2 =   0x2 - enable control of console logging level
  4 =   0x4 - enable control of keyboard (SAK, unraw)
  8 =   0x8 - enable debugging dumps of processes etc.
 16 =  0x10 - enable sync command
 32 =  0x20 - enable remount read-only
 64 =  0x40 - enable signalling of processes (term, kill, oom-kill)
128 =  0x80 - allow reboot/poweroff
256 = 0x100 - allow nicing of all RT tasks
but I don't understand how to have only sysrq-f disabled, and all other keys at their default value. The current setup on my laptop (debian 12), is the following: 
$ grep -IirF sysrq /etc/sysctl.*
/etc/sysctl.conf:# 0=disable, 1=enable all, >1 bitmask of sysrq functions
/etc/sysctl.conf:# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html 
/etc/sysctl.conf:#kernel.sysrq=438

$ grep -IirF sysrq /etc/sysctl.d/*
/etc/sysctl.d/99-sysctl.conf:# 0=disable, 1=enable all, >1 bitmask of sysrq functions
/etc/sysctl.d/99-sysctl.conf:# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html 
/etc/sysctl.d/99-sysctl.conf:#kernel.sysrq=438
Asked by user000001 (3795 rep)
Nov 5, 2023, 07:32 AM
Last activity: Nov 5, 2023, 06:51 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "out-of-memory"
More questions tagged "magic-sysrq"
Footer Ad - 728x90