Hello Michael,

> Hi,
> 
> LOL. “Effectiveness” of the KASLR. Do we even have this enabled?
Yes. Words failed me here - and 8 Bits do not leave _that_ much possibilities...

Thanks, and best regards,
Peter Müller
> 
> -Michael
> 
>> On 4 Jul 2019, at 20:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> By feeding more random bits into mmap allocation, the
>> effectiveness of KASLR will be improved, making attacks
>> trying to bypass address randomisation more difficult.
>>
>> Changed sysctl values are:
>>
>> vm.mmap_rnd_bits = 32 (default: 28)
>> vm.mmap_rnd_compat_bits = 16 (default: 8)
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/etc/sysctl.conf | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>> index 9a943fffa..5a67f1795 100644
>> --- a/config/etc/sysctl.conf
>> +++ b/config/etc/sysctl.conf
>> @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
>> # Avoid kernel memory address exposures via dmesg.
>> kernel.dmesg_restrict = 1
>>
>> +# Improve KASLR effectiveness for mmap
>> +vm.mmap_rnd_bits = 32
>> +vm.mmap_rnd_compat_bits = 16
>> +
>> # Minimal preemption granularity for CPU-bound tasks:
>> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
>> kernel.sched_min_granularity_ns = 10000000
>> -- 
>> 2.16.4
>>
> 

-- 
The road to Hades is easy to travel.
	-- Bion of Borysthenes