From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] sysctl: improve KASLR effectiveness for mmap
Date: Thu, 04 Jul 2019 19:15:00 +0000
Message-ID: <5e1acef7-1037-f621-0bd5-123519625c50@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1448056616515288751=="
List-Id: <development.lists.ipfire.org>

--===============1448056616515288751==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.

Changed sysctl values are:

vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/etc/sysctl.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 9a943fffa..5a67f1795 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
 
+# Improve KASLR effectiveness for mmap
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
 # Minimal preemption granularity for CPU-bound tasks:
 # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
 kernel.sched_min_granularity_ns = 10000000
-- 
2.16.4


--===============1448056616515288751==--