movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 13:40:28 +03:00
Code Activity

nixos/hardened: set mmap_min_addr

Browse source 
This is set in the hardened linux config as well but sysctl is more
flexible & works with any boot.kernelPackages
This commit is contained in:
Joachim Fasting 2017-09-03 01:48:46 +02:00
parent f84125c3b1
commit 2bce0b13e7
No known key found for this signature in database
GPG key ID: 66EAB6B14F6B6E0D
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
nixos/modules/profiles/hardened.nix
View file

@ -65,4 +65,14 @@ with lib;
# Note: mmap_rnd_compat_bits may not exist on 64bit.
boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
# Allowing users to mmap() memory starting at virtual address 0 can turn a
# NULL dereference bug in the kernel into code execution with elevated
# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
# space. This breaks applications that require mapping the 0 page, such as
# dosemu or running 16bit applications under wine. It also breaks older
# versions of qemu.
#
# The value is taken from the KSPP recommendations (Debian uses 4096).
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
}