From: Peter Müller <peter.mueller@ipfire.org>
Date: Thu, 4 Jul 2019 19:15:00 +0000 (+0000)
Subject: sysctl: improve KASLR effectiveness for mmap
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ef21f3e49d2998eb4a223c05ef05f169ae99537a;p=people%2Fstevee%2Fipfire-2.x.git

sysctl: improve KASLR effectiveness for mmap

By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.

Changed sysctl values are:

vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 9a943fffa8..5a67f17955 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -45,6 +45,10 @@ kernel.kptr_restrict = 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
 
+# Improve KASLR effectiveness for mmap
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
 # Minimal preemption granularity for CPU-bound tasks:
 # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
 kernel.sched_min_granularity_ns = 10000000