diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2017-09-03 01:48:46 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-09-09 17:37:15 +0200 |
| commit | 2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9 (patch) | |
| tree | eb652f657675cdfdf3c793e857a8ca43b1b26755 /nixos/modules/profiles | |
| parent | f84125c3b11246ba0b9b2dec8bc916c8caac0f86 (diff) | |
| download | nixlib-2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9.tar nixlib-2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9.tar.gz nixlib-2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9.tar.bz2 nixlib-2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9.tar.lz nixlib-2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9.tar.xz nixlib-2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9.tar.zst nixlib-2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9.zip | |
nixos/hardened: set mmap_min_addr
This is set in the hardened linux config as well but sysctl is more flexible & works with any boot.kernelPackages
Diffstat (limited to 'nixos/modules/profiles')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 0ab210cc4c39..c8d306ef3cae 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -65,4 +65,14 @@ with lib; # Note: mmap_rnd_compat_bits may not exist on 64bit. boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; + + # Allowing users to mmap() memory starting at virtual address 0 can turn a + # NULL dereference bug in the kernel into code execution with elevated + # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory + # space. This breaks applications that require mapping the 0 page, such as + # dosemu or running 16bit applications under wine. It also breaks older + # versions of qemu. + # + # The value is taken from the KSPP recommendations (Debian uses 4096). + boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; } |