JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/hardened: don't set vm.mmap_min_addr

Browse Source 
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
This commit is contained in:
Emily 2020-04-04 22:52:42 +01:00
parent 46d12cca56
commit cc28d51237
1 changed files with 0 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/modules/profiles/hardened.nix
View File

@ -82,16 +82,6 @@ with lib;
# Disable bpf() JIT (to eliminate spray attacks) # Disable bpf() JIT (to eliminate spray attacks)
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
# Allowing users to mmap() memory starting at virtual address 0 can turn a
# NULL dereference bug in the kernel into code execution with elevated
# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
# space. This breaks applications that require mapping the 0 page, such as
# dosemu or running 16bit applications under wine. It also breaks older
# versions of qemu.
#
# The value is taken from the KSPP recommendations (Debian uses 4096).
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
# Disable ftrace debugging # Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;