| Message ID | 5e1acef7-1037-f621-0bd5-123519625c50@ipfire.org |
|---|---|
| State | Accepted |
| Commit | ef21f3e49d2998eb4a223c05ef05f169ae99537a |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 44BE2887E52 for <patchwork@web07.i.ipfire.org>; Thu, 4 Jul 2019 20:16:00 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45fnkl25Wcz5S78x; Thu, 4 Jul 2019 20:15:59 +0100 (BST) Received: from [127.0.0.1] (unknown [51.15.7.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45fnkg0Zbfz5M5f2 for <development@lists.ipfire.org>; Thu, 4 Jul 2019 20:15:54 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1562267755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XD17xdhNMOKTBr1qLMQHLowyNQga2dnrgJ6a1yIlWDU=; b=PLa7WlV1xMwQB8eZfByC7XUTx0RrVxnbJvoZlEkVN4BsariYfca5QrChQ59SieXZxDNhVV Oq42+cCNopwr3b1fQ8B1CRdRon6AAvs6Af2cehA7k5LY55QbXOh/OcGmB8Sqisz2C7aLas k3Y37Go+v6dhPt+u7sf0LwVH2MKL8FZ95PrsZ7rEn1c+CGifkpWtTdXiJAzfIRdsZVaJcN 1eItzCaa8ZNpz3LO5wnhCKXhlQSRgvTwLmX+xe+2m8UBIrJB7bW7/Vg0ZVeyvQ+jJyquZb P/I0sy5amtQ1Tf8/AhFNinOovZUmMafiYv7XumH2+D6joHVgkrAOlC9gDPFuyA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1562267755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XD17xdhNMOKTBr1qLMQHLowyNQga2dnrgJ6a1yIlWDU=; b=TwBpND3zHnHM/GYtRRKBcXpOGdO4or0gsh08FpcNP+KyWGvwuVsNBzL9lr0NwNb0XB3R5Y tTOh9ryL6t9MQvCg== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] sysctl: improve KASLR effectiveness for mmap Organization: IPFire.org Message-ID: <5e1acef7-1037-f621-0bd5-123519625c50@ipfire.org> Date: Thu, 04 Jul 2019 19:15:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
sysctl: improve KASLR effectiveness for mmap
|
|
Commit Message
Peter Müller
July 5, 2019, 5:15 a.m. UTC
By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.
Changed sysctl values are:
vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/etc/sysctl.conf | 4 ++++
1 file changed, 4 insertions(+)
Comments
Hi, LOL. “Effectiveness” of the KASLR. Do we even have this enabled? -Michael > On 4 Jul 2019, at 20:15, Peter Müller <peter.mueller@ipfire.org> wrote: > > By feeding more random bits into mmap allocation, the > effectiveness of KASLR will be improved, making attacks > trying to bypass address randomisation more difficult. > > Changed sysctl values are: > > vm.mmap_rnd_bits = 32 (default: 28) > vm.mmap_rnd_compat_bits = 16 (default: 8) > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/etc/sysctl.conf | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index 9a943fffa..5a67f1795 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2 > # Avoid kernel memory address exposures via dmesg. > kernel.dmesg_restrict = 1 > > +# Improve KASLR effectiveness for mmap > +vm.mmap_rnd_bits = 32 > +vm.mmap_rnd_compat_bits = 16 > + > # Minimal preemption granularity for CPU-bound tasks: > # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) > kernel.sched_min_granularity_ns = 10000000 > -- > 2.16.4 >
Hello Michael, > Hi, > > LOL. “Effectiveness” of the KASLR. Do we even have this enabled? Yes. Words failed me here - and 8 Bits do not leave _that_ much possibilities... Thanks, and best regards, Peter Müller > > -Michael > >> On 4 Jul 2019, at 20:15, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> By feeding more random bits into mmap allocation, the >> effectiveness of KASLR will be improved, making attacks >> trying to bypass address randomisation more difficult. >> >> Changed sysctl values are: >> >> vm.mmap_rnd_bits = 32 (default: 28) >> vm.mmap_rnd_compat_bits = 16 (default: 8) >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/etc/sysctl.conf | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >> index 9a943fffa..5a67f1795 100644 >> --- a/config/etc/sysctl.conf >> +++ b/config/etc/sysctl.conf >> @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2 >> # Avoid kernel memory address exposures via dmesg. >> kernel.dmesg_restrict = 1 >> >> +# Improve KASLR effectiveness for mmap >> +vm.mmap_rnd_bits = 32 >> +vm.mmap_rnd_compat_bits = 16 >> + >> # Minimal preemption granularity for CPU-bound tasks: >> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) >> kernel.sched_min_granularity_ns = 10000000 >> -- >> 2.16.4 >> >
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 9a943fffa..5a67f1795 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 +# Improve KASLR effectiveness for mmap +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000