mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 05:39:27 -05:00
Merge remote-tracking branch 'github-kicksecure/master'
This commit is contained in:
commit
39676395f8
10
README.md
10
README.md
@ -37,9 +37,6 @@ often abused to exploit use-after-free flaws.
|
||||
* Kexec is disabled as it can be used to load a malicious kernel and gain
|
||||
arbitrary code execution in kernel mode.
|
||||
|
||||
* The bits of entropy used for mmap ASLR are increased, therefore improving
|
||||
its effectiveness.
|
||||
|
||||
* Randomises the addresses for mmap base, heap, stack, and VDSO pages.
|
||||
|
||||
* Prevents unintentional writes to attacker-controlled files.
|
||||
@ -54,6 +51,13 @@ prevents writing potentially sensitive contents of memory to disk.
|
||||
|
||||
* TCP timestamps are disabled as it can allow detecting the system time.
|
||||
|
||||
### mmap ASLR
|
||||
|
||||
* The bits of entropy used for mmap ASLR are maxed out via
|
||||
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
|
||||
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that
|
||||
the kernel was built with), therefore improving its effectiveness.
|
||||
|
||||
### Boot parameters
|
||||
|
||||
Boot parameters are outlined in configuration files located in the
|
||||
|
@ -40,7 +40,7 @@ COMPAT_BITS_MAX_DEFAULT=16
|
||||
if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then
|
||||
## Find the relevant config options.
|
||||
if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then
|
||||
echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2
|
||||
echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2
|
||||
BITS_MAX="${BITS_MAX_DEFAULT}"
|
||||
fi
|
||||
if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then
|
||||
|
Loading…
Reference in New Issue
Block a user