sysctl: improve KASLR effectiveness for mmap
Commit Message
By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.
Changed sysctl values are:
vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)
This patch backports the same change made in IPFire 2.x into
IPFire 3.x .
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
setup/setup.nm | 2 +-
setup/sysctl/kernel-hardening.conf | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
@@ -5,7 +5,7 @@
name = setup
version = 3.0
-release = 13
+release = 14
arch = noarch
groups = Base Build System/Base
@@ -4,3 +4,6 @@ kernel.kptr_restrict = 2
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1
+# Improve KASLR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16