#!/bin/sh
# 85-security-lockdown.sh — Lock down kernel after all modules loaded

# Allow disabling via boot parameter for debugging
if [ "$KUBESOLO_NOMODLOCK" = "1" ]; then
    log_warn "Module lock DISABLED (kubesolo.nomodlock)"
else
    # Permanently prevent new kernel module loading (irreversible until reboot)
    # All required modules must already be loaded by stage 30
    if [ -f /proc/sys/kernel/modules_disabled ]; then
        echo 1 > /proc/sys/kernel/modules_disabled 2>/dev/null && \
            log_ok "Kernel module loading locked" || \
            log_warn "Failed to lock kernel module loading"
    fi
fi

# Safety net: enforce kernel information protection
# (also set via sysctl.d but enforce here in case sysctl.d was bypassed)
echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
echo 1 > /proc/sys/kernel/dmesg_restrict 2>/dev/null || true