vm.mmap_rnd_bits: Fix ppc64le

Probably fixes a bunch of other non-x86_64 arches too.

usr/libexec/security-misc/mmap-rnd-bits

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s failglob
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This script enforces the maximum ASLR hardening settings for mmap, given the
+## installed Linux config.
+
+## Defaults in case Linux config detection fails. These are likely to work fine
+## on x86_64, probably not elsewhere.
+BITS_MAX_DEFAULT=32
+COMPAT_BITS_MAX_DEFAULT=16
+
+## Find the most recently modified Linux config file.
+if CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
+then
+    ## Find the relevant config options.
+    if ! BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
+    then
+        echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
+        BITS_MAX="${BITS_MAX_DEFAULT}"
+    fi
+    if ! COMPAT_BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
+    then
+        echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
+        COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
+    fi
+else
+    echo "Error detecting Linux config"
+    BITS_MAX="${BITS_MAX_DEFAULT}"
+    COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
+fi
+
+## Generate a sysctl.d conf file.
+SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file is automatically generated, do not edit!
+
+## Improves ASLR effectiveness for mmap.
+vm.mmap_rnd_bits=${BITS_MAX}
+vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"
+
+## Write the sysctl.d conf file.
+echo "${SYSCTL}" > /etc/sysctl.d/30_security-misc_aslr-mmap.conf
+
+exit 0