Open rusty-snake opened 3 weeks ago
glitsj16
commented
3 weeks ago @rusty-snake
On the gist you mention [...]
Do you have any insights on whether setting kernel parameter ia32_emulation=0 can help in this context?
rusty-snake
commented
3 weeks ago Yes.
To be precise, disabling ia32 emulation, be it in Kconfig, as boot parameter or with a seccomp filter (systemd can set a system-wide filter for that) on a x86-64 system leaves only x86-64 and x32 (different ABIs, same architecture) which implement shmat as syscall.
In general you should disable/restrict such ugly/scary emulation features. And OT, while my fedora hardening script(s) are (still) not ready, https://github.com/a13xp0p0v/kernel-hardening-checker it a great tool to check your Kconfig, cmdline and sysctls. But do not blindly apply everything from it and stay in front of a brick.
See https://gist.github.com/rusty-snake/481ad71892fb587a6056326686e55bf7
https://codeberg.org/crabjail/crablock/src/commit/d6dae786b0227fe1b97355412beee3aa46559522/src/modules/seccomp.rs#L643-L647