From 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Sat, 3 Aug 2024 00:13:38 +1000
Subject: [PATCH] Provide option to disable 32 bit vDSO mappings

---
 README.md                                  | 2 ++
 etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index b23f852..457fe0e 100644
--- a/README.md
+++ b/README.md
@@ -145,6 +145,8 @@ configuration file.
   safety error detector which can identify heap out-of-bounds access, use-after-free,
   and invalid-free errors.
 
+- Provide the option to disable 32 bit vDSO mappings.
+
 - Provide the option to use kCFI as the default CFI implementation since it may be
   slightly more resilient to attacks that are able to write arbitrary executables
   in memory (when using Linux kernel version >= 6.2).
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 390f75b..d34f0ca 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -122,6 +122,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 
+## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
+##
+## https://en.wikipedia.org/wiki/VDSO
+##
+## The use of 32 bit vDSO mappings is currently enabled.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
+
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## The default implementation is FIneIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.