Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Enable vdso32=0

Browse Source
This commit is contained in:
Raja Grewal 2024-08-05 15:10:02 +10:00
parent fa9091869d
commit 8559079312
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -151,7 +151,7 @@ configuration file.
safety error detector which can identify heap out-of-bounds access, use-after-free,
and invalid-free errors.
- Provide the option to disable 32 bit vDSO mappings.
- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
- Provide the option to use kCFI as the default CFI implementation since it may be
slightly more resilient to attacks that are able to write arbitrary executables

10
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -136,13 +136,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
## Legacy compatibility feature for superseded glibc versions.
##
## https://en.wikipedia.org/wiki/VDSO
## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
## https://lists.openwall.net/linux-kernel/2014/03/11/3
##
## The use of 32 bit vDSO mappings is currently enabled.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
## The default implementation is FIneIBT as of Linux kernel 6.2.