nixos/hardened profile: disable legacy virtual syscalls

This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes #25289
NixOS · Apr 29, 2017 · 6343353 · 6343353
1 parent f1c7d5a
commit 6343353
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
@@ -10,6 +10,11 @@ with lib;
 
   security.apparmor.enable = mkDefault true;
 
+  boot.kernelParams = [
+    # Disable legacy virtual syscalls
+    "vsyscall=none"
+  ];
+
   # Restrict ptrace() usage to processes with a pre-defined relationship
   # (e.g., parent/child)
   boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;