nixos/hardened: set mmap_min_addr · pyrox.dev/nixpkgs@2bce0b1

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/hardened: set mmap_min_addr

This is set in the hardened linux config as well but sysctl is more
flexible & works with any boot.kernelPackages

Joachim Fasting 8 years ago 2bce0b13 f84125c3

+10

1 changed file

expand all

unified split

nixos

modules

profiles

hardened.nix

+10

nixos/modules/profiles/hardened.nix

··· 65 65 # Note: mmap_rnd_compat_bits may not exist on 64bit. 66 66 boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; 67 67 boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; 68 + 69 + # Allowing users to mmap() memory starting at virtual address 0 can turn a 70 + # NULL dereference bug in the kernel into code execution with elevated 71 + # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory 72 + # space. This breaks applications that require mapping the 0 page, such as 73 + # dosemu or running 16bit applications under wine. It also breaks older 74 + # versions of qemu. 75 + # 76 + # The value is taken from the KSPP recommendations (Debian uses 4096). 77 + boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; 68 78 }