From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] sysctl: improve KASLR effectiveness for mmap
Date: Sat, 06 Jul 2019 09:38:00 +0000
Message-ID: <3efce5d6-1679-cb70-b119-64c8bfe55237@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5202403739284119893=="
List-Id: <development.lists.ipfire.org>

--===============5202403739284119893==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.

Changed sysctl values are:

vm.mmap_rnd_bits =3D 32 (default: 28)
vm.mmap_rnd_compat_bits =3D 16 (default: 8)

This patch backports the same change made in IPFire 2.x into
IPFire 3.x .

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 setup/setup.nm                     | 2 +-
 setup/sysctl/kernel-hardening.conf | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/setup/setup.nm b/setup/setup.nm
index be0ca4ba0..09d94e23d 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
=20
 name       =3D setup
 version    =3D 3.0
-release    =3D 13
+release    =3D 14
 arch       =3D noarch
=20
 groups     =3D Base Build System/Base
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardeni=
ng.conf
index 9bb6e9f45..33e096c7c 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -4,3 +4,6 @@ kernel.kptr_restrict =3D 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict =3D 1
=20
+# Improve KASLR effectiveness for mmap.
+vm.mmap_rnd_bits =3D 32
+vm.mmap_rnd_compat_bits =3D 16
--=20
2.16.4

--===============5202403739284119893==--