File: features.txt

package info (click to toggle)
kernel-patch-2.4-grsecurity 1.9.15-2
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 4,372 kB
  • sloc: makefile: 35; sh: 4
file content (274 lines) | stat: -rw-r--r-- 6,542 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
 
			      Grsecurity features

   grsecurity 2.0 RBAC features
   _________________________________________________________________

   * Role-Based Access Control

   * User, group, and special roles

   * Role transition tables

   * IP-based roles

   * Non-root access to special roles

   * Special roles that require no authentication

   * Nested subjects

   * Variable support in configuration

   * And, or, and difference set operations on variables in configuration

   * Object mode that controls the creation of setuid and setgid files

   * Create and delete object modes

   * Kernel interpretation of inheritance

   * Real-time regular-expression resolution

   * Ability to deny ptraces to specific processes

   * User and group transition checking and enforcement on an inclusive
     or exclusive basis

   * /dev/grsec entry for kernel authentication and learning logs

   * Next-generation code that produces least-privilege policies for the
     entire system with no configuration

   * Full pathnames for offending process and parent process

   * RBAC status function for gradm

   * /proc/<pid>/ipaddr gives the remote address of the person who
     started a given process

   * All other features of grsecurity 1.9.x MAC system

   grsecurity 1.9.x MAC system features
   _________________________________________________________________

   * Process-based Mandatory Access Control

   * Secure policy enforcement

   * Supports read, write, append, execute, view, and read-only ptrace
     object permissions

   * Supports hide, protect, and override subject flags

   * Supports the PaX flags

   * Shared memory protection feature

   * Integrated local attack response on all alerts

   * Subject flag that ensures a process can never execute trojaned code

   * Intelligent learning mode that produces least-privilege ACLs with no
     configuration

   * Full-featured fine-grained auditing

   * Resource ACLs

   * Socket ACLs

   * File/process ACLs

   * Capabilities

   * Protection against exploit bruteforcing

   * /proc/pid filedescriptor/memory protection

   * ACLs can be placed on non-existent files/processes

   * ACL regeneration on subjects and objects

   * Administrative mode to use for regular sysadmin tasks

   * ACL system is resealed up admin logout

   * Globbing support on ACL objects

   * Configurable log suppression

   * Configurable process accounting

   * Human-readable configuration

   * Not filesystem dependent

   * Not architecture dependent

   * Scales well: supports as many ACLs as memory can handle

   * No runtime memory allocation

   * SMP safe

   * O(1) time efficiency for most operations

   * Include directive for specifying additional ACLs

   * Enable, disable, reload capabilities

   * Userspace option to test permissions on an ACL

   * Option to hide kernel processes

   Chroot restrictions
   _________________________________________________________________

   * No attaching shared memory outside of chroot

   * No kill outside of chroot

   * No ptrace outside of chroot (architecture independent)

   * No capget outside of chroot

   * No setpgid outside of chroot

   * No getpgid outside of chroot

   * No getsid outside of chroot

   * No sending of signals by fcntl outside of chroot

   * No viewing of any process outside of chroot, even if /proc is
     mounted

   * No mounting or remounting

   * No pivot_root

   * No double chroot

   * No fchdir out of chroot

   * Enforced chdir("/") upon chroot

   * No (f)chmod +s

   * No mknod

   * No sysctl writes

   * No raising of scheduler priority

   * No connecting to abstract unix domain sockets outside of chroot

   * Removal of harmful privileges via capabilities

   * Exec logging within chroot

   Address space modification protection
   _________________________________________________________________

   * PaX: Page-based implementation of non-executable user pages for
     i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc

   * PaX: Segmentation-based implementation of non-executable user pages
     for i386 with negligible performance hit

   * PaX: Segmentation-based implementation of non-executable KERNEL
     pages for i386

   * PaX: Mprotect restrictions prevent new code from entering a task

   * PaX: Randomization of stack and mmap base for i386, sparc, sparc64,
     alpha, parisc, amd64, ia64, ppc, and mips

   * PaX: Randomization of heap base for i386, sparc, sparc64, alpha,
     parisc, amd64, ia64, ppc, and mips

   * PaX: Randomization of executable base for i386, sparc, sparc64,
     alpha, parisc, amd64, ia64, and ppc

   * PaX: Randomization of kernel stack

   * PaX: Automatically emulate sigreturn trampolines (for libc5, glibc
     2.0, uClibc, Modula-3 compatibility)

   * PaX: No ELF .text relocations

   * PaX: Trampoline emulation (GCC and linux sigreturn)

   * PaX: PLT emulation for non-i386 archs

   * No kernel modification via /dev/mem, /dev/kmem, or /dev/port

   * Option to disable use of raw I/O

   * Removal of addresses from /proc/<pid>/[maps|stat]

   Auditing features
   _________________________________________________________________

   * Option to specify single group to audit

   * Exec logging with arguments

   * Denied resource logging

   * Chdir logging

   * Mount and unmount logging

   * IPC creation/removal logging

   * Signal logging

   * Failed fork logging

   * Time change logging

   Randomization features
   _________________________________________________________________

   * Larger entropy pools

   * Randomized TCP Initial Sequence Numbers

   * Randomized PIDs

   * Randomized IP IDs

   * Randomized TCP source ports

   * Randomized RPC XIDs

   Other features
   _________________________________________________________________

   * /proc restrictions that don't leak information about process owners

   * Symlink/hardlink restrictions to prevent /tmp races

   * FIFO restrictions

   * Dmesg(8) restriction

   * Enhanced implementation of Trusted Path Execution

   * GID-based socket restrictions

   * Nearly all options are sysctl-tunable, with a locking mechanism

   * All alerts and audits support a feature that logs the IP of the
     attacker with the log

   * Stream connections across unix domain sockets carry the attacker's
     IP with them

   * Detection of local connections: copies attacker's IP to the other
     task

   * Low, Medium, High, and Custom security levels

   * Tunable flood-time and burst for logging