Merge remote-tracking branch 'github-kicksecure/master'

This commit is contained in:
Patrick Schleizer 2023-05-15 11:34:57 +00:00
commit 39676395f8
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 8 additions and 4 deletions

View File

@ -37,9 +37,6 @@ often abused to exploit use-after-free flaws.
* Kexec is disabled as it can be used to load a malicious kernel and gain
arbitrary code execution in kernel mode.
* The bits of entropy used for mmap ASLR are increased, therefore improving
its effectiveness.
* Randomises the addresses for mmap base, heap, stack, and VDSO pages.
* Prevents unintentional writes to attacker-controlled files.
@ -54,6 +51,13 @@ prevents writing potentially sensitive contents of memory to disk.
* TCP timestamps are disabled as it can allow detecting the system time.
### mmap ASLR
* The bits of entropy used for mmap ASLR are maxed out via
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that
the kernel was built with), therefore improving its effectiveness.
### Boot parameters
Boot parameters are outlined in configuration files located in the

View File

@ -40,7 +40,7 @@ COMPAT_BITS_MAX_DEFAULT=16
if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then
## Find the relevant config options.
if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then
echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2
echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2
BITS_MAX="${BITS_MAX_DEFAULT}"
fi
if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then