sysctl: improve KASLR effectiveness for mmap

By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.

Changed sysctl values are:

vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)

This patch backports the same change made in IPFire 2.x into
IPFire 3.x .

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/setup/setup.nm b/setup/setup.nm
index be0ca4ba08617f8e5a3ad4453450d69a1f85b552..09d94e23de875c8c0d944039bef82dd6d2242f20 100644 (file)
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
 
 name       = setup
 version    = 3.0
-release    = 13
+release    = 14
 arch       = noarch
 
 groups     = Base Build System/Base

diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 9bb6e9f45d10d33a324c405b71ab6a74c20396cf..33e096c7ce5036574ab8d025b37efc284a995ee7 100644 (file)
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -4,3 +4,6 @@ kernel.kptr_restrict = 2
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
 
+# Improve KASLR effectiveness for mmap.
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16