6.14.7.arch2-1: reduced ASLR entropy in CONFIG_ARCH_MMAP_RND_BITS/CONFIG_ARCH_MMAP_RND_COMPAT_BITS?

Notable changes in the latest config:

- CONFIG_USER_NS_UNPRIVILEGED=y

- CONFIG_ARCH_MMAP_RND_BITS=32
+ CONFIG_ARCH_MMAP_RND_BITS=28

- CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16
+ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8

For user namespaces this removes a huge attack surface. I didn't trace back when this was introduced, but good riddance.

Regarding ASLR, the config goes back to using 28/8 (upstream default values) instead of 32/16 , the latter being the hardened setting many distributions use. As going back to 8 bits of entropy significantly weakens ASLR for 32 bits applications, I was wondering if there was a reason to go back to 8 - besides sticking to defaults as much as possible?

Additional info:

package version(s): 6.14.7.arch2-1

Edited May 24, 2025 by Christophe Schleypen

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

6.14.7.arch2-1: reduced ASLR entropy in CONFIG_ARCH_MMAP_RND_BITS/CONFIG_ARCH_MMAP_RND_COMPAT_BITS?

Additional info: