From cc28d51237d39fa5f7de57f836fe2a0cf46e6182 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Sat, 4 Apr 2020 22:52:42 +0100
Subject: [PATCH] nixos/hardened: don't set vm.mmap_min_addr

Upstreamed in anthraxx/linux-hardened@f1fe0a64dd532551b048d97b35473c25809f7a0f.
---
 nixos/modules/profiles/hardened.nix | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 33b62589b99b..1747e962f025 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -82,16 +82,6 @@ with lib;
   # Disable bpf() JIT (to eliminate spray attacks)
   boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
 
-  # Allowing users to mmap() memory starting at virtual address 0 can turn a
-  # NULL dereference bug in the kernel into code execution with elevated
-  # privilege.  Mitigate by enforcing a minimum base addr beyond the NULL memory
-  # space.  This breaks applications that require mapping the 0 page, such as
-  # dosemu or running 16bit applications under wine.  It also breaks older
-  # versions of qemu.
-  #
-  # The value is taken from the KSPP recommendations (Debian uses 4096).
-  boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
-
   # Disable ftrace debugging
   boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;