Provide option to disable 32 bit vDSO mappings

2024-10-01 08:25:45 -04:00 · 2024-08-03 00:13:38 +10:00 · 2024-08-03 00:13:38 +10:00 · 52aeacb4da
commit 52aeacb4da
parent 9099ecce8a
2 changed files with 10 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -145,6 +145,8 @@ configuration file.
  safety error detector which can identify heap out-of-bounds access, use-after-free,
  and invalid-free errors.

+- Provide the option to disable 32 bit vDSO mappings.
+
 - Provide the option to use kCFI as the default CFI implementation since it may be
  slightly more resilient to attacks that are able to write arbitrary executables
  in memory (when using Linux kernel version >= 6.2).
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -122,6 +122,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"

+## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
+##
+## https://en.wikipedia.org/wiki/VDSO
+##
+## The use of 32 bit vDSO mappings is currently enabled.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
+
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## The default implementation is FIneIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.