pyrox.dev / nixpkgs
lol
fork atom

nixos/hardened: set mmap_min_addr

This is set in the hardened linux config as well but sysctl is more
flexible & works with any boot.kernelPackages

Joachim Fasting 2bce0b13 f84125c3

options
unified split
Changed files
+10
nixos
modules
profiles
hardened.nix
+10
nixos/modules/profiles/hardened.nix 
···

       
65

       
65

       
 

       
  # Note: mmap_rnd_compat_bits may not exist on 64bit.


     

       
66

       
66

       
 

       
  boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;


     

       
67

       
67

       
 

       
  boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;


     

       

       
68

       
+

       



     

       

       
69

       
+

       
  # Allowing users to mmap() memory starting at virtual address 0 can turn a


     

       

       
70

       
+

       
  # NULL dereference bug in the kernel into code execution with elevated


     

       

       
71

       
+

       
  # privilege.  Mitigate by enforcing a minimum base addr beyond the NULL memory


     

       

       
72

       
+

       
  # space.  This breaks applications that require mapping the 0 page, such as


     

       

       
73

       
+

       
  # dosemu or running 16bit applications under wine.  It also breaks older


     

       

       
74

       
+

       
  # versions of qemu.


     

       

       
75

       
+

       
  #


     

       

       
76

       
+

       
  # The value is taken from the KSPP recommendations (Debian uses 4096).


     

       

       
77

       
+

       
  boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;


     

       
68

       
78

       
 

       
}