Merge remote-tracking branch 'raja/limit_full_force' into arraybolt3/trixie

README.md

@@ -253,6 +253,9 @@ Kernel space:
 - Prevent runaway privileged processes from writing to block devices that are mounted by
   filesystems to protect against filesystem corruption and kernel crashes.
 
+- Restrict processes from modifying their own memory mappings unless actively done via
+  `ptrace()` in order to limit self-modification which can trigger exploits.
+
 Direct memory access:
 
 - Enable strict IOMMU translation to protect against some DMA attacks via the use

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -273,6 +273,19 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0"
 
+## Restrict processes from modifying their own memory mappings.
+## Prevents the use of FULL_FORCE by a processes unless via ptrace() for debugging.
+## Limit self-modification which can be used trigger race condition vulnerabilities.
+##
+## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/
+## https://lwn.net/Articles/983169/
+## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201
+## https://github.com/Kicksecure/security-misc/issues/330
+##
+## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace"
+
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks