linux-hardened
linux-hardened copied to clipboard
GrapheneOS
brute force protection
I have a branch with this pretty much done, need to add back in logging and find good way to test the functionality tho... https://github.com/andyrj/linux-hardened/tree/brute
int i;
for (i = 0; i < 50; i++) {
if (fork() == 0) {
kill(getpid(), SIGSEGV);
exit(0);
}
}
wait(NULL);
That should take much much longer with brute protection enabled. :)
Your tree has two features in one commit, those should probably get split. Awesome, regardless!
Thank you kees, I'll test it out with that.
Yeah most of what the GRSEC_KERN_LOCKOUT is for PAX and UDEREF, but the part I left in was for the locking out on oops. I could easily take that part out, not sure how much benefit it is anyways with panic on oops set...
@andyrj: any chance of this being pushed into the official kernel-hardening mailing list or this project? Any chance you could update it for 4.14? Tried getting it to merge with 4.13 current and not having a fun time cherry-picking.
@sempervictus: I'm not involved with any of the kernel mailing lists at this point and I doubt the choices I made in my kconfig setup would be appropriate in upstreams eyes. But I can definitely rebase my fork on the latest linux-hardened 4.13 branch. I have been using a patch locally just bumping offsets and haven't updated my repo sorry about that... I have been planning to open a PR with just the brute-force portion to this project as mentioned above. I just keep getting busy on other things, ~I am updating my fork now~.
You're better off developing for a tag and cherry-picking between them, the 4.13 branch is just a reference to the latest code and isn't a stable history since it's maintained as a clean series of patches.
There seems to be a brute force defense being developed as an LSM: https://www.openwall.com/lists/kernel-hardening/2021/06/05/1. Maybe this could be ported to this kernel version (afaik it's for the latest, and linux-hardened is on 4.14, at least the GrapheneOS one)
