sysctl: improve KASLR effectiveness for mmap

By feeding more random bits into mmap allocation, the effectiveness of KASLR will be improved, making attacks trying to bypass address randomisation more difficult. Changed sysctl values are: vm.mmap_rnd_bits = 32 (default: 28) vm.mmap_rnd_compat_bits = 16 (default: 8) This patch backports the same change made in IPFire 2.x into IPFire 3.x . Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2019-07-06 09:38:00 +00:00 · 2019-07-06 09:38:00 +00:00 · 78d3aeab2b
parent f2234b33d7
commit 78d3aeab2b
2 changed files with 4 additions and 1 deletions
--- a/setup/setup.nm
+++ b/setup/setup.nm
@ -5,7 +5,7 @@

 name       = setup
 version    = 3.0
-release    = 13
+release    = 14
 arch       = noarch

 groups     = Base Build System/Base
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@ -4,3 +4,6 @@ kernel.kptr_restrict = 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1

+# Improve KASLR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16