mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:03:35 +07:00
vm.mmap_rnd_bits: Fix ppc64le
Probably fixes a bunch of other non-x86_64 arches too.
This commit is contained in:
parent
5c6db28881
commit
61f63255ac
3
debian/security-misc.postinst
vendored
3
debian/security-misc.postinst
vendored
@ -32,6 +32,7 @@ case "$1" in
|
||||
triggered)
|
||||
echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
|
||||
/usr/share/security-misc/lkrg/lkrg-virtualbox || true
|
||||
/usr/libexec/security-misc/mmap-rnd-bits
|
||||
exit 0
|
||||
;;
|
||||
|
||||
@ -57,6 +58,8 @@ you should fix running 'update-grub', otherwise your system might no longer \
|
||||
boot." >&2
|
||||
fi
|
||||
|
||||
/usr/libexec/security-misc/mmap-rnd-bits
|
||||
|
||||
true "INFO: debhelper beginning here."
|
||||
|
||||
#DEBHELPER#
|
||||
|
2
debian/security-misc.postrm
vendored
2
debian/security-misc.postrm
vendored
@ -18,6 +18,8 @@ true "
|
||||
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
|
||||
pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
|
||||
|
||||
rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf
|
||||
|
||||
true "INFO: debhelper beginning here."
|
||||
|
||||
#DEBHELPER#
|
||||
|
3
debian/security-misc.triggers
vendored
3
debian/security-misc.triggers
vendored
@ -15,4 +15,7 @@ activate-noawait update-initramfs
|
||||
## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox
|
||||
interest-noawait /usr/bin/vboxmanage
|
||||
|
||||
## vm.mmap_rnd_bits
|
||||
interest-noawait /boot
|
||||
|
||||
#### meta end
|
||||
|
@ -36,10 +36,6 @@ net.core.bpf_jit_harden=2
|
||||
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
kernel.kptr_restrict=2
|
||||
|
||||
## Improves ASLR effectiveness for mmap.
|
||||
vm.mmap_rnd_bits=32
|
||||
vm.mmap_rnd_compat_bits=16
|
||||
|
||||
## Restricts the use of ptrace to root. This might break some programs running under WINE.
|
||||
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
||||
##
|
||||
|
50
usr/libexec/security-misc/mmap-rnd-bits
Executable file
50
usr/libexec/security-misc/mmap-rnd-bits
Executable file
@ -0,0 +1,50 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s failglob
|
||||
|
||||
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## This script enforces the maximum ASLR hardening settings for mmap, given the
|
||||
## installed Linux config.
|
||||
|
||||
## Defaults in case Linux config detection fails. These are likely to work fine
|
||||
## on x86_64, probably not elsewhere.
|
||||
BITS_MAX_DEFAULT=32
|
||||
COMPAT_BITS_MAX_DEFAULT=16
|
||||
|
||||
## Find the most recently modified Linux config file.
|
||||
if CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
|
||||
then
|
||||
## Find the relevant config options.
|
||||
if ! BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
|
||||
then
|
||||
echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
|
||||
BITS_MAX="${BITS_MAX_DEFAULT}"
|
||||
fi
|
||||
if ! COMPAT_BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2)
|
||||
then
|
||||
echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
|
||||
COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
|
||||
fi
|
||||
else
|
||||
echo "Error detecting Linux config"
|
||||
BITS_MAX="${BITS_MAX_DEFAULT}"
|
||||
COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
|
||||
fi
|
||||
|
||||
## Generate a sysctl.d conf file.
|
||||
SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## This file is automatically generated, do not edit!
|
||||
|
||||
## Improves ASLR effectiveness for mmap.
|
||||
vm.mmap_rnd_bits=${BITS_MAX}
|
||||
vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"
|
||||
|
||||
## Write the sysctl.d conf file.
|
||||
echo "${SYSCTL}" > /etc/sysctl.d/30_security-misc_aslr-mmap.conf
|
||||
|
||||
exit 0
|
Loading…
Reference in New Issue
Block a user