diff mbox series

sysctl: improve KASLR effectiveness for mmap

Message ID 3efce5d6-1679-cb70-b119-64c8bfe55237@ipfire.org
State Accepted
Commit 78d3aeab2b1e8c0e52e5326c95d4b59057fb3095
Headers
Series sysctl: improve KASLR effectiveness for mmap |

Commit Message

Peter Müller July 6, 2019, 7:38 p.m. UTC 
  By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.

Changed sysctl values are:

vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)

This patch backports the same change made in IPFire 2.x into
IPFire 3.x .

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 setup/setup.nm                     | 2 +-
 setup/sysctl/kernel-hardening.conf | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/setup/setup.nm b/setup/setup.nm
index be0ca4ba0..09d94e23d 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@ 
 
 name       = setup
 version    = 3.0
-release    = 13
+release    = 14
 arch       = noarch
 
 groups     = Base Build System/Base
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 9bb6e9f45..33e096c7c 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -4,3 +4,6 @@  kernel.kptr_restrict = 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
 
+# Improve KASLR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16