All logging, compatibility and access control (RBAC) features are excluded.
GRKERNSEC_IO
-CONFIG_SECURITY_LOCKDOWN_LSM
GRKERNSEC_KMEM
-CONFIG_SECURITY_LOCKDOWN_LSM
GRKERNSEC_BPF_HARDEN
-kernel.bpf_jit_harden
GRKERNSEC_KSTACKOVERFLOW
-CONFIG_VMAP_STACK
GRKERNSEC_HIDESYM
-kernel.kptr_restrict
GRKERNSEC_RANDSTRUCT
-CONFIG_GCC_PLUGIN_RANDSTRUCT
GRKERNSEC_LINK
-fs.protected_{hardlinks,symlinks}
GRKERNSEC_FIFO
-fs.protected_{fifos,regular}
GRKERNSEC_DMESG
-CONFIG_SECURITY_DMESG_RESTRICT
/kernel.dmesg_restrict
GRKERNSEC_HARDEN_PTRACE
-kernel.yama.ptrace_scope
GRKERNSEC_PROC_{USER,USERGROUP,GID}
-hidepid
PAX_MEMORY_STACKLEAK
-CONFIG_GCC_PLUGIN_STACKLEAK
PAX_MEMORY_STRUCTLEAK
-CONFIG_GCC_PLUGIN_STRUCTLEAK
PAX_MEMORY_UDEREF
- SMAP - Requires hardware support but in the future, PTI may emulate SMAPPAX_REFCOUNT
- refcount_tPAX_USERCOPY
-CONFIG_HARDENED_USERCOPY
PAX_LATENT_ENTROPY
-CONFIG_GCC_PLUGIN_LATENT_ENTROPY
- Linked-list hardening (no Kconfig option) -
CONFIG_DEBUG_LIST
- Freelist hardening (no Kconfig option) -
CONFIG_SLAB_FREELIST_HARDENED
- Usermode helper restrictions (no Kconfig option) -
CONFIG_STATIC_USERMODEHELPER
GRKERNSEC_PERF_HARDEN
-kernel.perf_events_paranoid=2
- Doesn't restrict all perf event useGRKERNSEC_KERN_LOCKOUT
-CONFIG_PANIC_ON_OOPS
/kernel.panic_on_oops
- Only terminates the offending process and doesn't lock out usersPAX_ASLR
-kernel.randomize_va_space
- Mainline has an extremely weak ASLR implementation but linux-hardened improves it, lackingRANDKSTACK
(see below)PAX_MEMORY_SANITIZE
-CONFIG_INIT_ON_FREE_DEFAULT_ON
- Doesn't extend to slab caches with constructorsPAX_KERNEXEC
-CONFIG_STRICT_{KERNEL,MODULE}_RWX
and SMEP/PTI (PTI emulates SMEP for older hardware) - Doesn't cover as much asKERNEXEC
(linux-hardened covers a bit more), noCONSTIFY
GRKERNSEC_PERF_HARDEN
-CONFIG_SECURITY_PERF_EVENTS_RESTRICT
/kernel.perf_events_paranoid=3
GRKERNSEC_DEVICE_SIDECHANNEL
-kernel.device_sidechannel_restrict
GRKERNSEC_HARDEN_TTY
-CONFIG_SECURITY_TIOCSTI_RESTRICT
/kernel.tiocsti_restrict
GRKERNSEC_DENYUSB
-kernel.deny_new_usb
GRKERNSEC_NO_SIMULT_CONNECT
-CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON
/net.ipv4.tcp_simult_connect
PAX_MEMORY_SANITIZE
- Improvesinit_on_free
- Restricting creation of user namespaces to root (no Kconfig option) -
CONFIG_USER_NS_UNPRIVILEGED
GRKERNSEC_MODHARDEN
-CONFIG_SECURITY_MODHARDEN
/kernel.modharden
GRKERNSEC_SYSFS_RESTRICT
-CONFIG_SECURITY_SYSFS_RESTRICT
/fs.sysfs_restrict
GRKERNSEC_TPE
-CONFIG_SECURITY_TPE
/fs.tpe
GRKERNSEC_ROFS
-fs.romount_protect
GRKERNSEC_HARDEN_IPC
-CONFIG_SECURITY_HARDEN_IPC
/kernel.harden_ipc
GRKERNSEC_CHROOT
- There are far better sandbox alternativesGRKERNSEC_SETXID
- Glibc emulates this feature but it might be useful for other libcsGRKERNSEC_BLACKHOLE
- Most people are using netfilterGRKERNSEC_PTRACE_READEXEC
-kernel.yama.ptrace_scope
>=2 fixes this
GRKERNSEC_SYSFS_RESTRICT
- Fine-grained/sys
restrictionsGRKERNSEC_PROC_ADD
- Fine-grained/proc
restrictionsGRKERNSEC_ROFS
- Fine-grained/dev
and mount restrictionsPAX_MPROTECT
- SELinux execmem
GRKERNSEC_RAND_THREADSTACK
- GCC has-fstack-clash-protection
but it's rarely usedGRKERNSEC_PROC_MEMMAP
GRKERNSEC_SYMLINKOWN
GRKERNSEC_SOCKET
GRKERNSEC_BRUTE
PAX_MPROTECT
- S.A.R.A. LSM sent upstreamPAX_CONSTIFY_PLUGIN
PAX_SIZE_OVERFLOW
PAX_RAP
- Could use Clang Control-Flow Integrity and ShadowCallStack (ARM64 only) instead once upstreamPAX_RANDKSTACK
-CONFIG_RANDOMIZE_KSTACK_OFFSET
sent upstream