A change proposal has been filed to mitigate additional kernel vulnerabilities/attacks via additional kernel tuning by default.
The new change proposal includes enabling the kernel.kptr_restrict, kernel.yama.ptrace_scope, and net.core.bpf_jit_harden knobs by default.
The kernel.kptr_restrict sysctl option restricts kernel pointers from being exposed to unprivileged users so it’s harder for attackers to determine the kernel memory layout. By default the kptr_restrict behavior is just for hashing kernel addresses before being displayed but not fully concealing the memory addresses.
Meanwhile the net.core.bpf_jit_harden sysctl setting provides BPF JIT hardening for unprivileged users around JIT spraying attacks.
The third option is kernel.yama.ptrace_scope for restricting the ptrace scope for better securing the Linux process interfaces around tracing. As part of the ptrace_scope enhancement, the change proposal looks to obsolete the elfutils-default-yama-scope package that can accidentally be installed and disables the otherwise default ptrace_scope protection.
The change proposal argues the benefits:
“Increased security / additional security layer with regards to attacks/vulnerabilities related to ptrace, kptr_restrict and bpf_jit. These might mitigate some risks that inexperienced or incautious users may accidentally introduce to their systems themselves (to some extent “social vulnerabilities/causes”), and also mitigate vulnerabilities in our own packages.”
More details for those interested via the change proposal that still needs to be voted on by the Fedora Engineering and Steering Committee (FESCo). This proposal is being considered for next year’s Fedora 44 release and not the upcoming Fedora 43 release.
