Increase mmap randomization to the maximum supported value (#11840) · Issues · tails / tails

Increase mmap randomization to the maximum supported value

Originally created by @cypherpunks on #11840 (Redmine)

There are now two sysctls which can be used to tweak the amount of randomization for mmap calls. The defaults are 28 bits for 64 bit binaries, and a mere 8 bits for 32 bit binaries. These can be increased to 32 bits and 16 bits, respectively, via the vm.mmap_rnd_bits and vm.mmap_rnd_compat_bits sysctls.

This change won’t cause any incompatibility issues. The only reason the default is lower than the maximum is to be very conservative to reduce address space fragmentation, which isn’t going to be an issue for Tails users.

More information about the sysctls:
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1040995.html

Feature Branch: feature/11840-improve-aslr-for-mmap

Related issues

Related to #11886 (closed)
Blocks #13234 (closed)

Edited May 15, 2020 by cypherpunks

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information