From c5f91eb33a2ad745af7a6278cf49419d0b366343 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 2 Nov 2025 06:15:06 +0000
Subject: [PATCH] Add another method to disable 32-bit legacy vsyscalls

---
 README.md                                          |  2 ++
 .../40_kernel_hardening.cfg#security-misc-shared   |  2 ++
 .../990-security-misc.conf#security-misc-shared    | 14 ++++++++++++++
 3 files changed, 18 insertions(+)

diff --git a/README.md b/README.md
index ee8d364..1501d26 100644
--- a/README.md
+++ b/README.md
@@ -60,6 +60,8 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
 
+- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
+
 #### User space
 
 - Disable the usage of `ptrace()` by all processes as it enables programs to inspect
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 2eef877..9a5e983 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -186,6 +186,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 ## KSPP=yes
 ## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
 ##
+## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index 78e5e5f..53bec74 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -20,6 +20,7 @@
 ## 5. Networking
 
 ## For detailed explanations of most of the selected commands, refer to:
+## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
@@ -230,6 +231,19 @@ dev.tty.legacy_tiocsti=0
 ##
 kernel.io_uring_disabled=2
 
+## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
+## Legacy compatibility feature for superseded glibc versions.
+##
+## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
+## https://lists.openwall.net/linux-kernel/2014/03/11/3
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
+##
+## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation.
+##
+abi.vsyscall32=0
+
 ## 2. User Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace