Disable sysrq f (OOM-killer) but leave other sysrq keys operational
I was following a guide for automatically decrypting the hard drive on boot, using self-generated keys, and tpm2 variables, and near the end it makes this point that seems to make sense: https://blastrock.github.io/fde-tpm-sb.html#disable-the-magic-sysrq-key
The magic SysRq key allows running some special kernel actions. The most dangerous ones are disabled by default, and you should keep them that way for maximum security.
For example, one of them (f) will invoke the OOM-killer. This function could kill your lockscreen, giving full access to your desktop to a malicious user.
The problem is that I only found how to disable all sysrq keys, e.g. https://askubuntu.com/questions/911522/how-can-i-enable-the-magic-sysrq-key-on-ubuntu-desktop or https://askubuntu.com/questions/11002/alt-sysrq-reisub-doesnt-reboot-my-laptop, using something adding a /etc/sysctl.d/90-sysrq.conf file with this line:
kernel.sysrq=1
I would like if possible to be able to use all the other keys e.g. REISUB in case the system crashes, and only have the F key disabled.
I also found this article https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html, that mentions adding a bitmask like:
2 = 0x2 - enable control of console logging level
4 = 0x4 - enable control of keyboard (SAK, unraw)
8 = 0x8 - enable debugging dumps of processes etc.
16 = 0x10 - enable sync command
32 = 0x20 - enable remount read-only
64 = 0x40 - enable signalling of processes (term, kill, oom-kill)
128 = 0x80 - allow reboot/poweroff
256 = 0x100 - allow nicing of all RT tasks
but I don’t understand how to have only sysrq-f disabled, and all other keys at their default value.
The current setup on my laptop (debian 12), is the following:
$ grep -IirF sysrq /etc/sysctl.*
/etc/sysctl.conf:# 0=disable, 1=enable all, >1 bitmask of sysrq functions
/etc/sysctl.conf:# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
/etc/sysctl.conf:#kernel.sysrq=438
$ grep -IirF sysrq /etc/sysctl.d/*
/etc/sysctl.d/99-sysctl.conf:# 0=disable, 1=enable all, >1 bitmask of sysrq functions
/etc/sysctl.d/99-sysctl.conf:# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
/etc/sysctl.d/99-sysctl.conf:#kernel.sysrq=438
In the absence of any process writing something to /proc/sys/kernel/sysrq (possibly via the sysctl command) at any point since boot (including in the initramfs)¹, the default value will be as configured at kernel compilation time.
You can find that out with:
$ grep -i sysrq "/boot/config-$(uname -r)"
CONFIG_MAGIC_SYSRQ=y
CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6
CONFIG_MAGIC_SYSRQ_SERIAL=y
CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE=""
Here for me (on Debian as well), it’s enabled by default but with 0x01b6, that is 438 or 0b110110110 as the mask.
To check the current value:
$ cat /proc/sys/kernel/sysrq
438
$ sysctl kernel.sysrq
kernel.sysrq = 438
That’s 2|4|16|32|128|256 so:
2 = 0x2 - enable control of console logging level
4 = 0x4 - enable control of keyboard (SAK, unraw)
16 = 0x10 - enable sync command
32 = 0x20 - enable remount read-only
128 = 0x80 - allow reboot/poweroff
256 = 0x100 - allow nicing of all RT tasks
So all but:
8 = 0x8 - enable debugging dumps of processes etc.
64 = 0x40 - enable signalling of processes (term, kill, oom-kill)
You can check what bit of the bitmask allows which key in drivers/tty/sysrq.c in the kernel source code.
f is allowed by SYSRQ_ENABLE_SIGNAL with value 0x0040, that is 64 above without surprise.
And that bit also controls e (end all tasks), j (thaw all frozen FS),i (killall tasks).
So it’s not possible to enable all except f. The best you can do is enable all but e, f, i, j by adding the 0x8 (SYSRQ_ENABLE_DUMP) bit which governs c, l, t, p, w, z, m (also quite dangerous) to the default by writing 446 to /proc/sys/kernel/sysrq.
However, I would only deviate from the safer 438 default when debugging some kernel related issue where you lose shell access to the machine, or if no non-admin has physical access to a keyboard or serial line connected to the machine.
¹ also note the sysrq_always_enabled kernel command line parameter which bypasses all restrictions.