From d6d79e96c9a3f25b75d92a46dc97d6191d6ac691 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 14:44:29 +0000 Subject: [PATCH] minor mmap-rnd-bits improvements --- debian/security-misc.postinst | 2 +- debian/security-misc.triggers | 4 +++ usr/libexec/security-misc/mmap-rnd-bits | 33 ++++++++++++------------- 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 139fa7d..d00d8cf 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -58,7 +58,7 @@ you should fix running 'update-grub', otherwise your system might no longer \ boot." >&2 fi -/usr/libexec/security-misc/mmap-rnd-bits +/usr/libexec/security-misc/mmap-rnd-bits || true true "INFO: debhelper beginning here." diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index fb8476e..5dc870f 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -15,6 +15,10 @@ activate-noawait update-initramfs ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox interest-noawait /usr/bin/vboxmanage +## /usr/libexec/security-misc/mmap-rnd-bits +## auto generates: +## /etc/sysctl.d/30_security-misc_aslr-mmap.conf +## sets: ## vm.mmap_rnd_bits interest-noawait /boot diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index edb0fb7..e356884 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,41 +1,39 @@ #!/usr/bin/env bash -set -euo pipefail -shopt -s failglob - ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the ## installed Linux config. +set -euo pipefail +shopt -s failglob + ## Defaults in case Linux config detection fails. These are likely to work fine ## on x86_64, probably not elsewhere. BITS_MAX_DEFAULT=32 COMPAT_BITS_MAX_DEFAULT=16 ## Find the most recently modified Linux config file. -if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) -then +if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then ## Find the relevant config options. - if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) - then - echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX" + if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" fi - if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) - then - echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" + if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2 COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi else - echo "Error detecting Linux config" + echo "$0: ERROR: Error detecting Linux config! Using built-in defaults." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi ## Generate a sysctl.d conf file. -SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +SYSCTL="\ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file is automatically generated, do not edit! @@ -45,9 +43,10 @@ vm.mmap_rnd_bits=${BITS_MAX} vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" ## Write the sysctl.d conf file. -if ! echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null -then - echo "Error writing ASLR map config" +if echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null ; then + exit 0 fi -exit 0 +echo "$0: ERROR: Error writing ASLR map config file '/etc/sysctl.d/30_security-misc_aslr-mmap.conf'!" >&2 + +exit 1