diff options
| author | Emily <vcs@emily.moe> | 2020-04-04 22:52:42 +0100 |
|---|---|---|
| committer | Emily <vcs@emily.moe> | 2020-04-17 16:13:39 +0100 |
| commit | cc28d51237d39fa5f7de57f836fe2a0cf46e6182 (patch) | |
| tree | d3100c5b0c7245daefeeb2328b49cef9a987175c /nixos/modules | |
| parent | 46d12cca561165142580ccdc39eb97d0ee5b240d (diff) | |
| download | nixlib-cc28d51237d39fa5f7de57f836fe2a0cf46e6182.tar nixlib-cc28d51237d39fa5f7de57f836fe2a0cf46e6182.tar.gz nixlib-cc28d51237d39fa5f7de57f836fe2a0cf46e6182.tar.bz2 nixlib-cc28d51237d39fa5f7de57f836fe2a0cf46e6182.tar.lz nixlib-cc28d51237d39fa5f7de57f836fe2a0cf46e6182.tar.xz nixlib-cc28d51237d39fa5f7de57f836fe2a0cf46e6182.tar.zst nixlib-cc28d51237d39fa5f7de57f836fe2a0cf46e6182.zip | |
nixos/hardened: don't set vm.mmap_min_addr
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd532551b048d97b35473c25809f7a0f.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 10 |
1 files changed, 0 insertions, 10 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 33b62589b99b..1747e962f025 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -82,16 +82,6 @@ with lib; # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # Allowing users to mmap() memory starting at virtual address 0 can turn a - # NULL dereference bug in the kernel into code execution with elevated - # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory - # space. This breaks applications that require mapping the 0 page, such as - # dosemu or running 16bit applications under wine. It also breaks older - # versions of qemu. - # - # The value is taken from the KSPP recommendations (Debian uses 4096). - boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; - # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; |