From 9d23717b6d3f94d8fad5ab00628dcbf41fa2cab5 Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Mon, 8 May 2023 13:45:18 +0000 Subject: [PATCH 1/2] README: Document mmap-rnd-bits --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 33cb7d0..20f5a41 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,6 @@ often abused to exploit use-after-free flaws. * Kexec is disabled as it can be used to load a malicious kernel and gain arbitrary code execution in kernel mode. -* The bits of entropy used for mmap ASLR are increased, therefore improving -its effectiveness. - * Randomises the addresses for mmap base, heap, stack, and VDSO pages. * Prevents unintentional writes to attacker-controlled files. @@ -54,6 +51,13 @@ prevents writing potentially sensitive contents of memory to disk. * TCP timestamps are disabled as it can allow detecting the system time. +### mmap ASLR + +* The bits of entropy used for mmap ASLR are maxed out via +`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of +`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that +the kernel was built with), therefore improving its effectiveness. + ### Boot parameters Boot parameters are outlined in configuration files located in the From 6ab400c9d982bde16271052f181c87255046037e Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Tue, 9 May 2023 10:55:31 +0000 Subject: [PATCH 2/2] mmap-rnd-bits: Fix typo in error message --- usr/libexec/security-misc/mmap-rnd-bits | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 51d96bd..17482bf 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -40,7 +40,7 @@ COMPAT_BITS_MAX_DEFAULT=16 if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then ## Find the relevant config options. if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2 + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" fi if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then