sysctl: improve KASLR effectiveness for mmap
Commit Message
By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.
Changed sysctl values are:
vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/etc/sysctl.conf | 4 ++++
1 file changed, 4 insertions(+)
Comments
Hi,
LOL. “Effectiveness” of the KASLR. Do we even have this enabled?
-Michael
> On 4 Jul 2019, at 20:15, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> By feeding more random bits into mmap allocation, the
> effectiveness of KASLR will be improved, making attacks
> trying to bypass address randomisation more difficult.
>
> Changed sysctl values are:
>
> vm.mmap_rnd_bits = 32 (default: 28)
> vm.mmap_rnd_compat_bits = 16 (default: 8)
>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/etc/sysctl.conf | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index 9a943fffa..5a67f1795 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
> # Avoid kernel memory address exposures via dmesg.
> kernel.dmesg_restrict = 1
>
> +# Improve KASLR effectiveness for mmap
> +vm.mmap_rnd_bits = 32
> +vm.mmap_rnd_compat_bits = 16
> +
> # Minimal preemption granularity for CPU-bound tasks:
> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds)
> kernel.sched_min_granularity_ns = 10000000
> --
> 2.16.4
>
Hello Michael,
> Hi,
>
> LOL. “Effectiveness” of the KASLR. Do we even have this enabled?
Yes. Words failed me here - and 8 Bits do not leave _that_ much possibilities...
Thanks, and best regards,
Peter Müller
>
> -Michael
>
>> On 4 Jul 2019, at 20:15, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> By feeding more random bits into mmap allocation, the
>> effectiveness of KASLR will be improved, making attacks
>> trying to bypass address randomisation more difficult.
>>
>> Changed sysctl values are:
>>
>> vm.mmap_rnd_bits = 32 (default: 28)
>> vm.mmap_rnd_compat_bits = 16 (default: 8)
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> config/etc/sysctl.conf | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>> index 9a943fffa..5a67f1795 100644
>> --- a/config/etc/sysctl.conf
>> +++ b/config/etc/sysctl.conf
>> @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
>> # Avoid kernel memory address exposures via dmesg.
>> kernel.dmesg_restrict = 1
>>
>> +# Improve KASLR effectiveness for mmap
>> +vm.mmap_rnd_bits = 32
>> +vm.mmap_rnd_compat_bits = 16
>> +
>> # Minimal preemption granularity for CPU-bound tasks:
>> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds)
>> kernel.sched_min_granularity_ns = 10000000
>> --
>> 2.16.4
>>
>
@@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1
+# Improve KASLR effectiveness for mmap
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
# Minimal preemption granularity for CPU-bound tasks:
# (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds)
kernel.sched_min_granularity_ns = 10000000