security-misc/usr/libexec/security-misc/mmap-rnd-bits

#!/usr/bin/env bash

set -euo pipefail
shopt -s failglob

## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## This script enforces the maximum ASLR hardening settings for mmap, given the
## installed Linux config.

## Defaults in case Linux config detection fails. These are likely to work fine
## on x86_64, probably not elsewhere.
BITS_MAX_DEFAULT=32
COMPAT_BITS_MAX_DEFAULT=16

## Find the most recently modified Linux config file.
if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
then
    ## Find the relevant config options.
    if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
    then
        echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
        BITS_MAX="${BITS_MAX_DEFAULT}"
    fi
    if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
    then
        echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
        COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
    fi
else
    echo "Error detecting Linux config"
    BITS_MAX="${BITS_MAX_DEFAULT}"
    COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
fi

## Generate a sysctl.d conf file.
SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## This file is automatically generated, do not edit!

## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=${BITS_MAX}
vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"

## Write the sysctl.d conf file.
if ! echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null
then
    echo "Error writing ASLR map config"
fi

exit 0