diff --git a/README.md b/README.md index 33cb7d0..20f5a41 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,6 @@ often abused to exploit use-after-free flaws. * Kexec is disabled as it can be used to load a malicious kernel and gain arbitrary code execution in kernel mode. -* The bits of entropy used for mmap ASLR are increased, therefore improving -its effectiveness. - * Randomises the addresses for mmap base, heap, stack, and VDSO pages. * Prevents unintentional writes to attacker-controlled files. @@ -54,6 +51,13 @@ prevents writing potentially sensitive contents of memory to disk. * TCP timestamps are disabled as it can allow detecting the system time. +### mmap ASLR + +* The bits of entropy used for mmap ASLR are maxed out via +`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of +`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that +the kernel was built with), therefore improving its effectiveness. + ### Boot parameters Boot parameters are outlined in configuration files located in the diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 51d96bd..17482bf 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -40,7 +40,7 @@ COMPAT_BITS_MAX_DEFAULT=16 if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then ## Find the relevant config options. if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2 + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" fi if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then