-
-
Notifications
You must be signed in to change notification settings - Fork 105
Home
Daniel Micay edited this page May 12, 2017
·
36 revisions
Note: early stub content moved from the Gentoo wiki, and does not yet reflect the project's goals or consensus. It's just brainstorming and isn't official documentation yet. Even the first sentence below is from before multiple people were involved and a repository existed. The code already contradicts it since it isn't just PaX / grsecurity features and will be doing a lot more of that. The default branch and tags are distinct from any upstreaming effort. That will be in topic branches, like the current fortify branch and the dozen tiny things that landed in upstream trees already. See https://github.com/thestinger/linux-hardened for something official, not this yet.
The Hardened Kernel Project is seeking to merge Grsecurity/PaX features into the upstream kernel.
This community project does not have leaders per se. We are here to facilitate communication between different parties working on security features for the upstream Linux kernel.
| Contributor | Nickname | Role | Contact |
|---|---|---|---|
| Matt Brown | nmatt | Project Lead | matt at nmatt.com |
| r3g3x | r3g3x | Developer | |
| Kees Cook | kees | KSPP/Upstream Liaison, Developer | keescook at chromium.org |
| Daniel Micay | strcat / thestinger | CopperheadOS project lead, Arch Linux linux-hardened package maintainer (previously linux-grsec/linux-grsec-lts/gradm/paxd) | [email protected] |
- Grsecurity is no longer providing public patches to the community.
- In recognizing the issues that security centric architectures may provide to end users, we hope to bridge hardened configurations and the needs of the average user community so that all may benefit.
Our goals are:
- Encourage and facilitate open source development of security features for the Linux kernel.
- Track progress of development work.
- Maintain a set of patches for security features that have not yet been merged into mainline.
- Remain distribution agnostic. We want to focus on patches that affect Linux directly.
- Work with the KSPP.
All are welcome!
- We need all the help we can get. Think you're lacking the skills? Feel like there's nothing you could do with your current skillset? Let us prove you wrong!
- Grsecurity archive: https://github.com/nmatt0/grsec-archive
- Grsecurity documentation: https://en.wikibooks.org/wiki/Grsecurity
- New to kernel development?: http://kernelnewbies.org/
- Kernel-hardening mailing list: http://www.openwall.com/lists/kernel-hardening/
Want to contribute to the project? Here is how to get started.
We do not have our own irc channel or mailing list. However we hangout/communicate in the following ways
-
Main IRC channel: ##linux-hardened (note the double #) on irc.freenode.net
-
Relevant IRC channels:
-
#pax on irc.oftc.net
-
#gentoo-hardened on irc.freenode.net
-
#droidsec on irc.freenode.net
-
We welcome the following help
- Testing
- Grab the most recent patch and tell us if it works or not: https://github.com/thestinger/linux-hardened/releases
- Feature Merges
- We are currently working adding features to our out-of-tree patchset. Talk to one of us and let us know if there is a feature you want to work on.
- Upstreaming
- The long term goal is to get all security features from this project into the linux kernel itself.
| Description | Link | HKP Repo |
|---|---|---|
| Basic set of hardening patches for mainline | https://github.com/thestinger/linux-hardened | Yes |
| Hardened Kernel Project Patches | https://github.com/thestinger/linux-hardened/releases | Yes |
| Unofficial forward ports of the last publicly available grsecurity patch | https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec | No |
Porting grsecurity features:
| grsecurity kernel config | Mainline kernel config | Upstream | Notes | Point of Contact |
|---|---|---|---|---|
| CONFIG_PAX_KERNEXEC | n/a | Upstream __ro_after_init does a tiny piece of PaX __read_only. Upstream constification and __read_only making slow progress (https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/write-rarely). Other KERNEXEC pieces still in need of scoping. Requires CONFIG_PAX_CONSTIFY_PLUGIN. | ||
| CONFIG_PAX_MEMORY_SANITIZE | CONFIG_CMDLINE=“slub_debug=P� (bad idea! see rest), CONFIG_PAGE_POISONING, CONFIG_PAGE_POISONING_NO_SANITY (unless more security but less performance is wanted), CONFIG_PAGE_POISONING_ZERO | |||
| CONFIG_PAX_MEMORY_UDEREF (x86, x86_64, ARMv7) | CONFIG_CPU_SW_DOMAIN_PAN (ARMv7), CONFIG_ARM64_SW_TTBR0_PAN (ARMv8.0), CONFIG_ARM64_PAN (ARMv8.1+) | |||
| CONFIG_PAX_MPROTECT | ||||
| CONFIG_PAX_PAGEEXEC | ||||
| CONFIG_PAX_RANDKSTACK (x86/x86_64 only) | ||||
| CONFIG_PAX_REFCOUNT | n/a | Current upstream refcount_t work is not protecting atomic_t, so won't be as comprehensive in the near-term. | ||
| CONFIG_PAX_USERCOPY | CONFIG_HARDENED_USERCOPY | Missing: slab whitelisting via slab cache useroffsize / usersize ranges, and GFP_USERCOPY kmalloc segregation. | ||
| CONFIG_GRKERNSEC_BRUTE | https://lkml.org/lkml/2014/12/24/306 | |||
| CONFIG_GRKERNSEC_DMESG | CONFIG_SECURITY_DMESG_RESTRICT | |||
| CONFIG_GRKERNSEC_HARDEN_PTRACE | CONFIG_SECURITY_YAMA (stackable with other LSMs) | sysctl: kernel.yama.ptrace_scope, set to 1 (scope) by default, and can also disable unprivileged (2) or all usage (3) | ||
| CONFIG_GRKERNSEC_HARDEN_TTY | CONFIG_SECURITY_TIOCSTI_RESTRICT | http://www.openwall.com/lists/kernel-hardening/2017/04/25/3 https://github.com/nmatt0/linux-hardened/commit/f6fd55fe4b25c59a7a436ac00de826541adce7cf | ||
| CONFIG_GRKERNSEC_HIDESYM | Needs integration with CONFIG_HARDENED_USERCOPY and stronger %p restrictions | |||
| CONFIG_GRKERNSEC_KSTACKOVERFLOW (x86_64 only) | CONFIG_VMAP_STACK (x86_64 only) | |||
| CONFIG_GRKERNSEC_LINK | n/a | sysctl: fs.protected_hardlinks, fs.protected_symlinks | ||
| CONFIG_GRKERNSEC_MODHARDEN | https://lkml.org/lkml/2017/4/19/1086 | |||
| CONFIG_GRKERNSEC_PROC, CONFIG_GRKERNSEC_PROC_USER, CONFIG_GRKERNSEC_PROC_USERGROUP, CONFIG_GRKERNSEC_PROC_GID | n/a | mount option for procfs: “hidepid=2,gid=100� (substitute 100 with gid of proc group) | ||
| CONFIG_GRKERNSEC_PROC_ADD | ||||
| grsecurity slub freelist random XOR mangling (no configuration option) | ||||
| grsecurity list manipulation checking (no configuration option) | CONFIG_DEBUG_LIST, CONFIG_BUG_ON_DATA_CORRUPTION | |||
| CONFIG_GCC_PLUGINS | CONFIG_GCC_PLUGINS | GCC plugin support is a prerequisite for CONFIG_PAX_LATENT_ENTROPY, CONFIG_PAX_STRUCTLEAK, CONFIG_GRKERNSEC_RANDSTRUCT, CONFIG_PAX_MEMORY_STACKLEAK, CONFIG_PAX_KERNEXEC, and CONFIG_PAX_RAP. | ||
| CONFIG_PAX_CONSTIFY_PLUGIN | CONFIG_GCC_PLUGIN_CONSTIFY] | https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/write-rarely | ||
| CONFIG_PAX_LATENT_ENTROPY | CONFIG_GCC_PLUGIN_LATENT_ENTROPY | Needs https://patchwork.kernel.org/patch/9143023/ | ||
| CONFIG_PAX_MEMORY_STACKLEAK (x86 only) | ||||
| CONFIG_PAX_RAP (x86_64 only) | Requires extensive fixes to kernel function prototypes. | |||
| CONFIG_PAX_STRUCTLEAK | CONFIG_GCC_PLUGIN_STRUCTLEAK | |||
| CONFIG_GRKERNSEC_RANDSTRUCT | CONFIG_GCC_PLUGIN_RANDSTRUCT | https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/gcc-plugin/randstruct-next-20170418 |