Merge remote-tracking branch 'github-kicksecure/master'

This commit is contained in:
Patrick Schleizer 2024-09-04 10:12:34 -04:00
commit 5a255d4831
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 17 additions and 0 deletions

View File

@ -68,6 +68,9 @@ User space:
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
- Raise the minimum address a process can request for memory mapping to 64KB to
protect against kernel null pointer dereference vulnerabilities.
- Increase the maximum number of memory map areas a process is able to utilize.
- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based

View File

@ -274,6 +274,20 @@ fs.protected_regular=2
##
kernel.randomize_va_space=2
## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
##
## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
## https://access.redhat.com/articles/20484
## https://wiki.debian.org/mmap_min_addr
##
## KSPP=yes
## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
##
vm.mmap_min_addr=65536
## Increase the maximum number of memory map areas a process is permitted to utilize.
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
## Required to accommodate the very large number of guard pages created by hardened_malloc.