[PATCH] sysctl: improve KASLR effectiveness for mmap - Development

6 Jul 2019

By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.
Changed sysctl values are:
vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)
This patch backports the same change made in IPFire 2.x into
IPFire 3.x .
Signed-off-by: Peter Müller peter.mueller@ipfire.org
---
 setup/setup.nm                     | 2 +-
 setup/sysctl/kernel-hardening.conf | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/setup/setup.nm b/setup/setup.nm
index be0ca4ba0..09d94e23d 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
name       = setup
 version    = 3.0
-release    = 13
+release    = 14
 arch       = noarch
groups     = Base Build System/Base
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 9bb6e9f45..33e096c7c 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -4,3 +4,6 @@ kernel.kptr_restrict = 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
+# Improve KASLR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
-- 
2.16.4

    