vm.mmap_rnd_bits: Fix ppc64le

Probably fixes a bunch of other non-x86_64 arches too.

debian/security-misc.postinst

@@ -32,6 +32,7 @@ case "$1" in
     triggered)
       echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
       /usr/share/security-misc/lkrg/lkrg-virtualbox || true
+      /usr/libexec/security-misc/mmap-rnd-bits
       exit 0
     ;;
 
@@ -57,6 +58,8 @@ you should fix running 'update-grub', otherwise your system might no longer \
 boot." >&2
 fi
 
+/usr/libexec/security-misc/mmap-rnd-bits
+
 true "INFO: debhelper beginning here."
 
 #DEBHELPER#

debian/security-misc.postrm

@@ -18,6 +18,8 @@ true "
 ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
 pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
 
+rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf
+
 true "INFO: debhelper beginning here."
 
 #DEBHELPER#

debian/security-misc.triggers

@@ -15,4 +15,7 @@ activate-noawait update-initramfs
 ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox
 interest-noawait /usr/bin/vboxmanage
 
+## vm.mmap_rnd_bits
+interest-noawait /boot
+
 #### meta end

etc/sysctl.d/30_security-misc.conf

@@ -36,10 +36,6 @@ net.core.bpf_jit_harden=2
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 kernel.kptr_restrict=2
 
-## Improves ASLR effectiveness for mmap.
-vm.mmap_rnd_bits=32
-vm.mmap_rnd_compat_bits=16
-
 ## Restricts the use of ptrace to root. This might break some programs running under WINE.
 ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
 ##

usr/libexec/security-misc/mmap-rnd-bits

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s failglob
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This script enforces the maximum ASLR hardening settings for mmap, given the
+## installed Linux config.
+
+## Defaults in case Linux config detection fails. These are likely to work fine
+## on x86_64, probably not elsewhere.
+BITS_MAX_DEFAULT=32
+COMPAT_BITS_MAX_DEFAULT=16
+
+## Find the most recently modified Linux config file.
+if CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
+then
+    ## Find the relevant config options.
+    if ! BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
+    then
+        echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
+        BITS_MAX="${BITS_MAX_DEFAULT}"
+    fi
+    if ! COMPAT_BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
+    then
+        echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
+        COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
+    fi
+else
+    echo "Error detecting Linux config"
+    BITS_MAX="${BITS_MAX_DEFAULT}"
+    COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
+fi
+
+## Generate a sysctl.d conf file.
+SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file is automatically generated, do not edit!
+
+## Improves ASLR effectiveness for mmap.
+vm.mmap_rnd_bits=${BITS_MAX}
+vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"
+
+## Write the sysctl.d conf file.
+echo "${SYSCTL}" > /etc/sysctl.d/30_security-misc_aslr-mmap.conf
+
+exit 0