vm.mmap_rnd_bits: Fix ppc64le

Probably fixes a bunch of other non-x86_64 arches too.
This commit is contained in:
Jeremy Rand 2023-03-24 12:32:58 +00:00
parent 5c6db28881
commit 61f63255ac
No known key found for this signature in database
GPG Key ID: EB03139A459DD06E
5 changed files with 58 additions and 4 deletions

View File

@ -32,6 +32,7 @@ case "$1" in
triggered)
echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
/usr/share/security-misc/lkrg/lkrg-virtualbox || true
/usr/libexec/security-misc/mmap-rnd-bits
exit 0
;;
@ -57,6 +58,8 @@ you should fix running 'update-grub', otherwise your system might no longer \
boot." >&2
fi
/usr/libexec/security-misc/mmap-rnd-bits
true "INFO: debhelper beginning here."
#DEBHELPER#

View File

@ -18,6 +18,8 @@ true "
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf
true "INFO: debhelper beginning here."
#DEBHELPER#

View File

@ -15,4 +15,7 @@ activate-noawait update-initramfs
## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox
interest-noawait /usr/bin/vboxmanage
## vm.mmap_rnd_bits
interest-noawait /boot
#### meta end

View File

@ -36,10 +36,6 @@ net.core.bpf_jit_harden=2
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2
## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
##

View File

@ -0,0 +1,50 @@
#!/usr/bin/env bash
set -euo pipefail
shopt -s failglob
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This script enforces the maximum ASLR hardening settings for mmap, given the
## installed Linux config.
## Defaults in case Linux config detection fails. These are likely to work fine
## on x86_64, probably not elsewhere.
BITS_MAX_DEFAULT=32
COMPAT_BITS_MAX_DEFAULT=16
## Find the most recently modified Linux config file.
if CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
then
## Find the relevant config options.
if ! BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
then
echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
BITS_MAX="${BITS_MAX_DEFAULT}"
fi
if ! COMPAT_BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
then
echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
fi
else
echo "Error detecting Linux config"
BITS_MAX="${BITS_MAX_DEFAULT}"
COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
fi
## Generate a sysctl.d conf file.
SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This file is automatically generated, do not edit!
## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=${BITS_MAX}
vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"
## Write the sysctl.d conf file.
echo "${SYSCTL}" > /etc/sysctl.d/30_security-misc_aslr-mmap.conf
exit 0