mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-22 06:51:07 -05:00
Set sysctl vm.mmap_min_addr=65536
This commit is contained in:
parent
e962153f84
commit
e61027a40e
@ -63,6 +63,9 @@ space, user space, core dumps, and swap space.
|
||||
|
||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Raise the minimum address a process can request for memory mapping to 64KB to
|
||||
protect against kernel null pointer dereference vulnerabilities.
|
||||
|
||||
- Increase the maximum number of memory map areas a process is able to utilize.
|
||||
|
||||
- Disallow registering interpreters for various (miscellaneous) binary formats based
|
||||
|
@ -207,6 +207,20 @@ fs.protected_regular=2
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
|
||||
## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
|
||||
## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
|
||||
## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
|
||||
##
|
||||
## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
|
||||
## https://access.redhat.com/articles/20484
|
||||
## https://wiki.debian.org/mmap_min_addr
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
|
||||
##
|
||||
vm.mmap_min_addr=65536
|
||||
|
||||
## Increase the maximum number of memory map areas a process is permitted to utilize.
|
||||
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
|
||||
## Required to accommodate the very large number of guard pages created by hardened_malloc.
|
||||
|
Loading…
Reference in New Issue
Block a user