minor mmap-rnd-bits improvements

debian/security-misc.postinst

@@ -58,7 +58,7 @@ you should fix running 'update-grub', otherwise your system might no longer \
 boot." >&2
 fi
 
-/usr/libexec/security-misc/mmap-rnd-bits
+/usr/libexec/security-misc/mmap-rnd-bits || true
 
 true "INFO: debhelper beginning here."
 

debian/security-misc.triggers

@@ -15,6 +15,10 @@ activate-noawait update-initramfs
 ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox
 interest-noawait /usr/bin/vboxmanage
 
+## /usr/libexec/security-misc/mmap-rnd-bits
+## auto generates:
+## /etc/sysctl.d/30_security-misc_aslr-mmap.conf
+## sets:
 ## vm.mmap_rnd_bits
 interest-noawait /boot
 

usr/libexec/security-misc/mmap-rnd-bits

@@ -1,41 +1,39 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
-shopt -s failglob
-
 ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## This script enforces the maximum ASLR hardening settings for mmap, given the
 ## installed Linux config.
 
+set -euo pipefail
+shopt -s failglob
+
 ## Defaults in case Linux config detection fails. These are likely to work fine
 ## on x86_64, probably not elsewhere.
 BITS_MAX_DEFAULT=32
 COMPAT_BITS_MAX_DEFAULT=16
 
 ## Find the most recently modified Linux config file.
-if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
+if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then
-then
     ## Find the relevant config options.
-    if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
+    if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then
-    then
+        echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2
-        echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
         BITS_MAX="${BITS_MAX_DEFAULT}"
     fi
-    if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
+    if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then
-    then
+        echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2
-        echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
         COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
     fi
 else
-    echo "Error detecting Linux config"
+    echo "$0: ERROR: Error detecting Linux config! Using built-in defaults." >&2
     BITS_MAX="${BITS_MAX_DEFAULT}"
     COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
 fi
 
 ## Generate a sysctl.d conf file.
-SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+SYSCTL="\
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## This file is automatically generated, do not edit!
@@ -45,9 +43,10 @@ vm.mmap_rnd_bits=${BITS_MAX}
 vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"
 
 ## Write the sysctl.d conf file.
-if ! echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null
+if echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null ; then
-then
+   exit 0
-    echo "Error writing ASLR map config"
 fi
 
-exit 0
+echo "$0: ERROR: Error writing ASLR map config file '/etc/sysctl.d/30_security-misc_aslr-mmap.conf'!" >&2
+
+exit 1