Overview of Grsecurity/PaX security features and their implementations in mainline and linux-hardened

Grsecurity overview.md

All logging, compatibility and access control (RBAC) features are excluded.

Implemented in mainline:

• GRKERNSEC_IO - CONFIG_SECURITY_LOCKDOWN_LSM
• GRKERNSEC_KMEM - CONFIG_SECURITY_LOCKDOWN_LSM
• GRKERNSEC_BPF_HARDEN - kernel.bpf_jit_harden
• GRKERNSEC_KSTACKOVERFLOW - CONFIG_VMAP_STACK
• GRKERNSEC_HIDESYM - kernel.kptr_restrict
• GRKERNSEC_RANDSTRUCT - CONFIG_GCC_PLUGIN_RANDSTRUCT
• GRKERNSEC_LINK - fs.protected_{hardlinks,symlinks}
• GRKERNSEC_FIFO - fs.protected_{fifos,regular}
• GRKERNSEC_DMESG - CONFIG_SECURITY_DMESG_RESTRICT/kernel.dmesg_restrict
• GRKERNSEC_HARDEN_PTRACE - kernel.yama.ptrace_scope
• GRKERNSEC_PROC_{USER,USERGROUP,GID} - hidepid
• PAX_MEMORY_STACKLEAK - CONFIG_GCC_PLUGIN_STACKLEAK
• PAX_MEMORY_STRUCTLEAK - CONFIG_GCC_PLUGIN_STRUCTLEAK
• PAX_MEMORY_UDEREF - SMAP - Requires hardware support but in the future, PTI may emulate SMAP
• PAX_REFCOUNT - refcount_t
• PAX_USERCOPY - CONFIG_HARDENED_USERCOPY
• PAX_LATENT_ENTROPY - CONFIG_GCC_PLUGIN_LATENT_ENTROPY
• Linked-list hardening (no Kconfig option) - CONFIG_DEBUG_LIST
• Freelist hardening (no Kconfig option) - CONFIG_SLAB_FREELIST_HARDENED
• Usermode helper restrictions (no Kconfig option) - CONFIG_STATIC_USERMODEHELPER

Partially implemented in mainline:

• GRKERNSEC_PERF_HARDEN - kernel.perf_events_paranoid=2 - Doesn't restrict all perf event use
• GRKERNSEC_KERN_LOCKOUT - CONFIG_PANIC_ON_OOPS/kernel.panic_on_oops - Only terminates the offending process and doesn't lock out users
• PAX_ASLR - kernel.randomize_va_space - Mainline has an extremely weak ASLR implementation but linux-hardened improves it, lacking RANDKSTACK (see below)
• PAX_MEMORY_SANITIZE - CONFIG_INIT_ON_FREE_DEFAULT_ON - Doesn't extend to slab caches with constructors
• PAX_KERNEXEC - CONFIG_STRICT_{KERNEL,MODULE}_RWX and SMEP/PTI (PTI emulates SMEP for older hardware) - Doesn't cover as much as KERNEXEC (linux-hardened covers a bit more), no CONSTIFY

Implemented in linux-hardened:

• GRKERNSEC_PERF_HARDEN - CONFIG_SECURITY_PERF_EVENTS_RESTRICT/kernel.perf_events_paranoid=3
• GRKERNSEC_DEVICE_SIDECHANNEL - kernel.device_sidechannel_restrict
• GRKERNSEC_HARDEN_TTY - CONFIG_SECURITY_TIOCSTI_RESTRICT/kernel.tiocsti_restrict
• GRKERNSEC_DENYUSB - kernel.deny_new_usb
• GRKERNSEC_NO_SIMULT_CONNECT - CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON/net.ipv4.tcp_simult_connect
• PAX_MEMORY_SANITIZE - Improves init_on_free
• Restricting creation of user namespaces to root (no Kconfig option) - CONFIG_USER_NS_UNPRIVILEGED

To be implemented in linux-hardened:

• GRKERNSEC_MODHARDEN - CONFIG_SECURITY_MODHARDEN/kernel.modharden
• GRKERNSEC_SYSFS_RESTRICT - CONFIG_SECURITY_SYSFS_RESTRICT/fs.sysfs_restrict
• GRKERNSEC_TPE - CONFIG_SECURITY_TPE/fs.tpe
• GRKERNSEC_ROFS - fs.romount_protect
• GRKERNSEC_HARDEN_IPC - CONFIG_SECURITY_HARDEN_IPC/kernel.harden_ipc

Not implemented but unneeded:

• GRKERNSEC_CHROOT - There are far better sandbox alternatives
• GRKERNSEC_SETXID - Glibc emulates this feature but it might be useful for other libcs
• GRKERNSEC_BLACKHOLE - Most people are using netfilter
• GRKERNSEC_PTRACE_READEXEC - kernel.yama.ptrace_scope >=2 fixes this

Not (fully) implemented but fixed with MAC:

• GRKERNSEC_SYSFS_RESTRICT - Fine-grained /sys restrictions
• GRKERNSEC_PROC_ADD - Fine-grained /proc restrictions
• GRKERNSEC_ROFS - Fine-grained /dev and mount restrictions
• PAX_MPROTECT - SELinux execmem

Needed:

• GRKERNSEC_RAND_THREADSTACK - GCC has -fstack-clash-protection but it's rarely used
• GRKERNSEC_PROC_MEMMAP
• GRKERNSEC_SYMLINKOWN
• GRKERNSEC_SOCKET
• GRKERNSEC_BRUTE
• PAX_MPROTECT - S.A.R.A. LSM sent upstream
• PAX_CONSTIFY_PLUGIN
• PAX_SIZE_OVERFLOW
• PAX_RAP - Could use Clang Control-Flow Integrity and ShadowCallStack (ARM64 only) instead once upstream
• PAX_RANDKSTACK - CONFIG_RANDOMIZE_KSTACK_OFFSET sent upstream