diff options
| author | Emily <vcs@emily.moe> | 2020-04-05 04:07:51 +0100 |
|---|---|---|
| committer | Emily <vcs@emily.moe> | 2020-04-17 16:13:39 +0100 |
| commit | 46d12cca561165142580ccdc39eb97d0ee5b240d (patch) | |
| tree | 95f0382709d5b0cd91ff7fb0d9cf7e6056e83466 /nixos | |
| parent | af4f57b2c4b969c9bc72527dbbd970564ee8d90b (diff) | |
| download | nixlib-46d12cca561165142580ccdc39eb97d0ee5b240d.tar nixlib-46d12cca561165142580ccdc39eb97d0ee5b240d.tar.gz nixlib-46d12cca561165142580ccdc39eb97d0ee5b240d.tar.bz2 nixlib-46d12cca561165142580ccdc39eb97d0ee5b240d.tar.lz nixlib-46d12cca561165142580ccdc39eb97d0ee5b240d.tar.xz nixlib-46d12cca561165142580ccdc39eb97d0ee5b240d.tar.zst nixlib-46d12cca561165142580ccdc39eb97d0ee5b240d.zip | |
nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits
Upstreamed in anthraxx/linux-hardened@ae6d85f437dddf8f5a9076019cdfbb7788a9c154.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 692afbff660d..33b62589b99b 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -82,12 +82,6 @@ with lib; # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # Raise ASLR entropy for 64bit & 32bit, respectively. - # - # Note: mmap_rnd_compat_bits may not exist on 64bit. - boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; - boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; - # Allowing users to mmap() memory starting at virtual address 0 can turn a # NULL dereference bug in the kernel into code execution with elevated # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory |