By feeding more random bits into mmap allocation, the effectiveness of KASLR will be improved, making attacks trying to bypass address randomisation more difficult.
Changed sysctl values are:
vm.mmap_rnd_bits = 32 (default: 28) vm.mmap_rnd_compat_bits = 16 (default: 8)
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 9a943fffa..5a67f1795 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -45,6 +45,10 @@ kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1
+# Improve KASLR effectiveness for mmap +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000