Skip to content

Commit d41380e

Browse files
TommyTran732TommyTran732
committed
Make sure vm.mmap_min_addr is 65536
Signed-off-by: Tommy <[email protected]>
1 parent e6fd450 commit d41380e

File tree

2 files changed

+4
-0
lines changed

2 files changed

+4
-0
lines changed

etc/sysctl.d/99-server.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,8 +113,10 @@ net.ipv4.tcp_sack = 0
113113
net.ipv4.tcp_dsack = 0
114114

115115
# Improve ALSR effectiveness for mmap.
116+
# vm.mmap_min_addr = 65536 is the already the default in Fedora.
116117
vm.mmap_rnd_bits = 32
117118
vm.mmap_rnd_compat_bits = 16
119+
vm.mmap_min_addr = 65536
118120

119121
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
120122
# Restrict userfaultfd to CAP_SYS_PTRACE.

etc/sysctl.d/99-workstation.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,8 +114,10 @@ net.ipv4.tcp_sack = 0
114114
net.ipv4.tcp_dsack = 0
115115

116116
# Improve ALSR effectiveness for mmap.
117+
# vm.mmap_min_addr = 65536 is the already the default in Fedora.
117118
vm.mmap_rnd_bits = 32
118119
vm.mmap_rnd_compat_bits = 16
120+
vm.mmap_min_addr = 65536
119121

120122
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
121123
# Restrict userfaultfd to CAP_SYS_PTRACE.

0 commit comments

Comments
 (0)