#!/bin/sh
##
# ryan macdonald <ryan@rfxn.com>
##
# The kernel tunable setting for minimum allowed user space address
# (/proc/sys/vm/mmap_min_addr) controls the amount of low virtual memory
# that is protected from userspace allocation. This script will check/set the
# minimum allowed user-space address to 4096 if eq 0 or leave it as default
# if > 4096, in an effort to temporarily protect from current pof code for
# sock_sendpage() local root exploits.
# ref: http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
##
if [ -f "/proc/sys/vm/mmap_min_addr" ]; then
 val=`cat /proc/sys/vm/mmap_min_addr`
 if [ "$val" -lt "4096" ]; then
	echo "mmap_min_addr is less than 4096, setting 4096"
	echo "4096" > /proc/sys/vm/mmap_min_addr
	if [ -f "/etc/sysctl.conf" ] && [ ! "$(grep 'vm.mmap_min_addr' /etc/sysctl.conf)" ]; then
		echo "" >> /etc/sysctl.conf
		echo "# set minimum user-space address" >> /etc/sysctl.conf
		echo "vm.mmap_min_addr = 4096" >> /etc/sysctl.conf
		echo "appended vm.mmap_min_addr = 4096 to /etc/sysctl.conf"
	fi
 elif [ "$val" -ge "4096" ]; then
	echo "mmap_min_addr is greater than/equal to 4096, nothing done"
 fi
else
	echo "mmap_min_addr is not supported by running kernel"
fi

echo "setting selinux modes permissive and enforcing to disabled"
sed -i 's/SELINUX=permissive/SELINUX=disabled/' /etc/sysconfig/selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux