mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-14 01:42:01 +07:00
Code Issues Packages Projects Releases Wiki Activity

Provide option to disable 32 bit vDSO mappings

Browse Source
This commit is contained in:
Raja Grewal
2024-08-03 00:13:38 +10:00
parent 9099ecce8a
commit 52aeacb4da
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -145,6 +145,8 @@ configuration file.
safety error detector which can identify heap out-of-bounds access, use-after-free, safety error detector which can identify heap out-of-bounds access, use-after-free,
and invalid-free errors. and invalid-free errors.
- Provide the option to disable 32 bit vDSO mappings.
- Provide the option to use kCFI as the default CFI implementation since it may be - Provide the option to use kCFI as the default CFI implementation since it may be
slightly more resilient to attacks that are able to write arbitrary executables slightly more resilient to attacks that are able to write arbitrary executables
in memory (when using Linux kernel version >= 6.2). in memory (when using Linux kernel version >= 6.2).

8
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -122,6 +122,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
## ##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
##
## https://en.wikipedia.org/wiki/VDSO
##
## The use of 32 bit vDSO mappings is currently enabled.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
## The default implementation is FIneIBT as of Linux kernel 6.2. ## The default implementation is FIneIBT as of Linux kernel 6.2.
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.