* Hellosway Here via devel: > Add `slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 > pti=on randomize_kstack_offset=on vsyscall=none ` as default kernel > command line arguments. This can help prevent local exploits by making > it harder to exploit the kernel. I do not think there will be any > breakage, I have been using these for a long time. The performance > impact is minimal, a few of these can improve performance. > > This can help increase the security of Fedora, while also not causing > any other problems.
vsyscall=none is an x86-64 userspace ABI break. It may stop some userspace exploit techniques, but it does nothing to prevent kernel exploits. I have a proposal to disable vsyscall without impacting userspace ABI. Thanks, Florian _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
