From 2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sun, 3 Sep 2017 01:48:46 +0200
Subject: [PATCH] nixos/hardened: set mmap_min_addr

This is set in the hardened linux config as well but sysctl is more
flexible & works with any boot.kernelPackages
---
 nixos/modules/profiles/hardened.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 0ab210cc4c39..c8d306ef3cae 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -65,4 +65,14 @@ with lib;
   # Note: mmap_rnd_compat_bits may not exist on 64bit.
   boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
   boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
+
+  # Allowing users to mmap() memory starting at virtual address 0 can turn a
+  # NULL dereference bug in the kernel into code execution with elevated
+  # privilege.  Mitigate by enforcing a minimum base addr beyond the NULL memory
+  # space.  This breaks applications that require mapping the 0 page, such as
+  # dosemu or running 16bit applications under wine.  It also breaks older
+  # versions of qemu.
+  #
+  # The value is taken from the KSPP recommendations (Debian uses 4096).
+  boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
 }