Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 15:28:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add another method to disable 32-bit legacy vsyscalls

Browse source
This commit is contained in:
raja-grewal 2025-11-02 06:15:06 +00:00 committed by GitHub
parent 5a6730450a
commit c5f91eb33a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -60,6 +60,8 @@ configuration file and significant hardening is applied to a myriad of component
- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
#### User space
- Disable the usage of `ptrace()` by all processes as it enables programs to inspect

2
etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
View file

@ -186,6 +186,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
## KSPP=yes
## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
##
## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.

14
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -20,6 +20,7 @@
## 5. Networking
## For detailed explanations of most of the selected commands, refer to:
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
@ -230,6 +231,19 @@ dev.tty.legacy_tiocsti=0
##
kernel.io_uring_disabled=2
## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
## Legacy compatibility feature for superseded glibc versions.
##
## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
## https://lists.openwall.net/linux-kernel/2014/03/11/3
##
## KSPP=yes
## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
##
## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation.
##
abi.vsyscall32=0
## 2. User Space:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace