Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Overview of Grsecurity/PaX security features and their implementations in mainline and linux-hardened

All logging, compatibility and access control (RBAC) features are excluded.

Implemented in mainline:

  • GRKERNSEC_IO - CONFIG_SECURITY_LOCKDOWN_LSM
  • GRKERNSEC_KMEM - CONFIG_SECURITY_LOCKDOWN_LSM
  • GRKERNSEC_BPF_HARDEN - kernel.bpf_jit_harden
  • GRKERNSEC_KSTACKOVERFLOW - CONFIG_VMAP_STACK
  • GRKERNSEC_HIDESYM - kernel.kptr_restrict
  • GRKERNSEC_RANDSTRUCT - CONFIG_GCC_PLUGIN_RANDSTRUCT
  • GRKERNSEC_LINK - fs.protected_{hardlinks,symlinks}
  • GRKERNSEC_FIFO - fs.protected_{fifos,regular}
  • GRKERNSEC_DMESG - CONFIG_SECURITY_DMESG_RESTRICT/kernel.dmesg_restrict
  • GRKERNSEC_HARDEN_PTRACE - kernel.yama.ptrace_scope
  • GRKERNSEC_PROC_{USER,USERGROUP,GID} - hidepid
  • PAX_MEMORY_STACKLEAK - CONFIG_GCC_PLUGIN_STACKLEAK
  • PAX_MEMORY_STRUCTLEAK - CONFIG_GCC_PLUGIN_STRUCTLEAK
  • PAX_MEMORY_UDEREF - SMAP - Requires hardware support but in the future, PTI may emulate SMAP
  • PAX_REFCOUNT - refcount_t
  • PAX_USERCOPY - CONFIG_HARDENED_USERCOPY
  • PAX_LATENT_ENTROPY - CONFIG_GCC_PLUGIN_LATENT_ENTROPY
  • Linked-list hardening (no Kconfig option) - CONFIG_DEBUG_LIST
  • Freelist hardening (no Kconfig option) - CONFIG_SLAB_FREELIST_HARDENED
  • Usermode helper restrictions (no Kconfig option) - CONFIG_STATIC_USERMODEHELPER

Partially implemented in mainline:

  • GRKERNSEC_PERF_HARDEN - kernel.perf_events_paranoid=2 - Doesn't restrict all perf event use
  • GRKERNSEC_KERN_LOCKOUT - CONFIG_PANIC_ON_OOPS/kernel.panic_on_oops - Only terminates the offending process and doesn't lock out users
  • PAX_ASLR - kernel.randomize_va_space - Mainline has an extremely weak ASLR implementation but linux-hardened improves it, lacking RANDKSTACK (see below)
  • PAX_MEMORY_SANITIZE - CONFIG_INIT_ON_FREE_DEFAULT_ON - Doesn't extend to slab caches with constructors
  • PAX_KERNEXEC - CONFIG_STRICT_{KERNEL,MODULE}_RWX and SMEP/PTI (PTI emulates SMEP for older hardware) - Doesn't cover as much as KERNEXEC (linux-hardened covers a bit more), no CONSTIFY

Implemented in linux-hardened:

  • GRKERNSEC_PERF_HARDEN - CONFIG_SECURITY_PERF_EVENTS_RESTRICT/kernel.perf_events_paranoid=3
  • GRKERNSEC_DEVICE_SIDECHANNEL - kernel.device_sidechannel_restrict
  • GRKERNSEC_HARDEN_TTY - CONFIG_SECURITY_TIOCSTI_RESTRICT/kernel.tiocsti_restrict
  • GRKERNSEC_DENYUSB - kernel.deny_new_usb
  • GRKERNSEC_NO_SIMULT_CONNECT - CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON/net.ipv4.tcp_simult_connect
  • PAX_MEMORY_SANITIZE - Improves init_on_free
  • Restricting creation of user namespaces to root (no Kconfig option) - CONFIG_USER_NS_UNPRIVILEGED

To be implemented in linux-hardened:

  • GRKERNSEC_MODHARDEN - CONFIG_SECURITY_MODHARDEN/kernel.modharden
  • GRKERNSEC_SYSFS_RESTRICT - CONFIG_SECURITY_SYSFS_RESTRICT/fs.sysfs_restrict
  • GRKERNSEC_TPE - CONFIG_SECURITY_TPE/fs.tpe
  • GRKERNSEC_ROFS - fs.romount_protect
  • GRKERNSEC_HARDEN_IPC - CONFIG_SECURITY_HARDEN_IPC/kernel.harden_ipc

Not implemented but unneeded:

  • GRKERNSEC_CHROOT - There are far better sandbox alternatives
  • GRKERNSEC_SETXID - Glibc emulates this feature but it might be useful for other libcs
  • GRKERNSEC_BLACKHOLE - Most people are using netfilter
  • GRKERNSEC_PTRACE_READEXEC - kernel.yama.ptrace_scope >=2 fixes this

Not (fully) implemented but fixed with MAC:

  • GRKERNSEC_SYSFS_RESTRICT - Fine-grained /sys restrictions
  • GRKERNSEC_PROC_ADD - Fine-grained /proc restrictions
  • GRKERNSEC_ROFS - Fine-grained /dev and mount restrictions
  • PAX_MPROTECT - SELinux execmem

Needed:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment