Table of Contents
Kernel-hardening project
The project consists of extracting security hardening changes from various patches (which the mentor will point out), forward-porting them to the latest mainstream kernels, making it easy to enable/disable the hardening measures (both compile- and runtime), adding documentation, properly submitting to and work with LKML (make proposals and own discussions to completion: either rejection or acceptance).
This may optionally involve work with other kernel branches and other upstreams as well (OpenVZ, Red Hat, Ubuntu).
Features from -ow patch (Linux 2.0-2.4)
BINFMT_ELF_AOUT
Status: sent upstream.
Discussion:
http://www.openwall.com/lists/kernel-hardening/2011/07/30/1
Attempt:
http://www.openwall.com/lists/kernel-hardening/2011/08/08/1
Relevant upstream patch:
HARDEN_STACK
Status: pending.
Discussion:
http://www.openwall.com/lists/kernel-hardening/2011/07/18/8
The patch itself (not ready for inclusing, see the link above):
HARDEN_VM86
HARDEN_PAGE0
Status: done (merged in 2.6.x).
Quoting Solar:
“Historically, I introduced it into 2.4.x-ow before there was mmap_min_addr, then when mainline went with mmap_min_addr and it got into upstream 2.4.x kernels, I dropped my code and made the HARDEN_PAGE0 option merely change the default for mmap_min_addr (it was 0 in 2.4.x by default, IIRC). Now that the default has also changed upstream, there's no need for this option anymore.”
HARDEN_LINK / HARDEN_FIFO
Status: pending.
Work by Kees Cook:
http://marc.info/?l=linux-security-module&m=130023775422255&w=2
http://www.openwall.com/lists/kernel-hardening/2012/01/07/1 (symlink restrictions on sticky directories)
http://www.openwall.com/lists/kernel-hardening/2012/02/21/20 (hardlink creation restrictions)
HARDEN_PROC
Status: done (merged in Linux 3.3).
Attempts:
http://www.openwall.com/lists/kernel-hardening/2011/06/12/5
http://www.openwall.com/lists/kernel-hardening/2011/06/12/12
http://www.openwall.com/lists/kernel-hardening/2011/06/15/1
http://www.openwall.com/lists/kernel-hardening/2011/06/15/19
http://www.openwall.com/lists/kernel-hardening/2011/08/10/12 (fine granted)
HARDEN_RLIMIT_NPROC
Status: done (merged into Linux 3.1)
Attempt:
http://www.openwall.com/lists/kernel-hardening/2011/06/12/9
http://www.openwall.com/lists/kernel-hardening/2011/07/29/3
http://www.openwall.com/lists/kernel-hardening/2011/08/08/2
It got positive Linus' reaction:
HARDEN_SHM
Status: done (merged into Linux 3.1)
Attempt:
ASCII-Armor (base address for libraries)
Status: pending.
Discussion:
http://www.openwall.com/lists/kernel-hardening/2011/07/23/6
The patch:
http://www.openwall.com/lists/kernel-hardening/2011/07/30/2
Attempt:
Special handling of 0,1,2 fds for setuid binaries
Status: done (implemented in glibc loader).
Discussion:
Privileged IP aliases
Status: not needed.
It was considered redundant.
Discussion:
Features from GRSecurity
MODHARDEN
KMEM / IO / ROFS
SOCKET / SOCKET_SERVER
PROC / SYSFS_RESTRICT
Status: WIP.
Discussion:
http://www.openwall.com/lists/kernel-hardening/2011/06/14/1
Attempts:
http://thread.gmane.org/gmane.linux.kernel/1141829/focus=1143409
http://www.openwall.com/lists/kernel-hardening/2011/09/27/3 (slabinfo, merged at Sep 2011)
http://www.openwall.com/lists/kernel-hardening/2011/09/27/4 (meminfo, NAK'ed)
https://lkml.org/lkml/2011/11/7/340 (interrupts, NAK'ed)
BRUTE / KERN_LOCKOUT
CHROOT*
DMESG
TPE
BLACKHOLE
Features from PaX
PAX_USERCOPY
PAX_REFCOUNT
PAX_MPROTECT
PAX_KSTACK
PAX_MEMORY_SANITIZE
Standalone features
log spoofing protection
Status: to be done
Attempts:
http://www.openwall.com/lists/kernel-hardening/2011/06/22/2
http://www.openwall.com/lists/kernel-hardening/2011/06/23/2
Linus' reaction:
32/64-bit restrictions in containers
Status: rejected (as it is a subset of seccomp v2).
Discussion:
http://www.openwall.com/lists/kernel-hardening/2011/08/07/1
http://www.openwall.com/lists/kernel-hardening/2011/08/15/4
Attempt:
http://www.openwall.com/lists/kernel-hardening/2011/08/12/14