Merge pull request #260 from raja-grewal/vdso32

Enable `vdso32=0`
2025-03-15 04:15:09 +07:00 · 2024-08-06 09:55:20 -04:00 · 2024-08-06 09:55:20 -04:00 · a25aaf900a
commit a25aaf900a
parent 6bc039a430 8559079312
2 changed files with 6 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -149,7 +149,7 @@ configuration file.
 - Enable the kernel Electric-Fence sampling-based memory safety error detector
  which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.

- Provide the option to disable 32 bit vDSO mappings.
+- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.

 - Provide the option to use kCFI as the default CFI implementation since it may be
  slightly more resilient to attacks that are able to write arbitrary executables
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -134,13 +134,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"

-## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
+## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
+## Legacy compatibility feature for superseded glibc versions.
 ##
-## https://en.wikipedia.org/wiki/VDSO
+## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
+## https://lists.openwall.net/linux-kernel/2014/03/11/3
 ##
-## The use of 32 bit vDSO mappings is currently enabled.
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"

 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## The default implementation is FIneIBT as of Linux kernel 6.2.