Merge c5f91eb33a into 9f85a78c99

README.md

@@ -60,6 +60,8 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
 
+- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
+
 #### User space
 
 - Disable the usage of `ptrace()` by all processes as it enables programs to inspect

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -186,6 +186,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 ## KSPP=yes
 ## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
 ##
+## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -20,6 +20,7 @@
 ## 5. Networking
 
 ## For detailed explanations of most of the selected commands, refer to:
+## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
@@ -232,6 +233,19 @@ dev.tty.legacy_tiocsti=0
 ##
 kernel.io_uring_disabled=2
 
+## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
+## Legacy compatibility feature for superseded glibc versions.
+##
+## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
+## https://lists.openwall.net/linux-kernel/2014/03/11/3
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
+##
+## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation.
+##
+abi.vsyscall32=0
+
 ## 2. User Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace