- What happens if we run the kernel with "vsyscall=none" being added to the cmdline for hardening?
- It is stated in the kernel documentation that it might break my system if vsyscall is none. What actually is broken with "vsyscall=none"?
vsyscall= [X86-64] Controls the behavior of vsyscalls (i.e. calls to fixed addresses of 0xffffffffff600x00 from legacy code). Most statically-linked binaries and older versions of glibc use these calls. Because these functions are at fixed addresses, they make nice targets for exploits that can control RIP. emulate [default] Vsyscalls turn into traps and are emulated reasonably safely. native Vsyscalls are native syscall instructions. This is a little bit faster than trapping and makes a few dynamic recompilers work better than they would in emulation mode. It also makes exploits much easier to write. none Vsyscalls don't work at all. This makes them quite hard to use for exploits but might break your system.
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.