diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-08-13 00:17:43 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-08-13 21:44:13 +0200 |
commit | c0769dc6effc042209ede41330946bbe34b9ec90 (patch) | |
tree | e826da175ea69cf2245a25d5f98759a5b1757403 /nixos/modules | |
parent | 5c29873e99cd5276175c9b16151eaf675204a6e2 (diff) | |
download | nixlib-c0769dc6effc042209ede41330946bbe34b9ec90.tar nixlib-c0769dc6effc042209ede41330946bbe34b9ec90.tar.gz nixlib-c0769dc6effc042209ede41330946bbe34b9ec90.tar.bz2 nixlib-c0769dc6effc042209ede41330946bbe34b9ec90.tar.lz nixlib-c0769dc6effc042209ede41330946bbe34b9ec90.tar.xz nixlib-c0769dc6effc042209ede41330946bbe34b9ec90.tar.zst nixlib-c0769dc6effc042209ede41330946bbe34b9ec90.zip |
nixos/hardened profile: increase ASLR entropy
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 0a0838431da7..0ab210cc4c39 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -59,4 +59,10 @@ with lib; # the feature at runtime. Attempting to create a user namespace # with unshare will then fail with "no space left on device". boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0; + + # Raise ASLR entropy for 64bit & 32bit, respectively. + # + # Note: mmap_rnd_compat_bits may not exist on 64bit. + boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; + boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; } |