set /proc/sys/vm/mmap_min_addr to 4096

This prohibits userland to mmap() page 0 and therefore mitigates
exploits that use NULL-pointer dereference vulnerabilities in the
kernel.

Introduce a sysctl puppet definition for this that can be used to set
other sysctl knobs as well.

Signed-off-by: Peter Palfrader <peter@palfrader.org>

diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp
index 6777085c51f6f87e7f4e4d73774964500c070a8e..fb5540e69793d9ef3019f6889b9911c4402e59a4 100644 (file)
--- a/modules/debian-org/manifests/init.pp
+++ b/modules/debian-org/manifests/init.pp
@@ -1,3 +1,14 @@
+define sysctl($key, $value, $ensure=present) {
+    file { "/etc/sysctl.d/$name.conf":
+        ensure  => $ensure,
+        owner   => root,
+        group   => root,
+        mode    => 0644,
+        content => "$key = $value\n",
+        notify  => Exec["procps restart"],
+    }
+}
+
 class debian-org {
    package { "userdir-ldap": ensure => installed;
              "zsh": ensure => installed;
@@ -87,6 +98,13 @@ class debian-org {
         default: {}
    }
 
+   # set mmap_min_addr to 4096 to mitigate
+   # Linux NULL-pointer dereference exploits
+   sysctl { "mmap_min_addr" :
+             key         => "vm.mmap_min_addr",
+             value       => 4096,
+   }
+
    exec { "syslog-ng reload":
              path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
              refreshonly => true,
@@ -104,6 +122,10 @@ class debian-org {
              path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
              refreshonly => true,
    }
+   exec { "procps restart":
+             path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+             refreshonly => true,
+   }
 }
 
 class debian-proliant inherits debian-org {