madaidan
madaidan
Perf events expose tons of attack surface and have been the cause of many vulnerabilities. linux-hardened restricts these to root by default but this still allows the root user to...
Stable kernels have various security features that LTS kernels don't have such as lockdown, SafeSetID, page allocator freelist randomization, init_on_alloc etc. I think linux-hardened should backport/reimplement those security features in...
VMware's Photon OS includes a few extracted PaX features. MPROTECT, RANDKSTACK and RAP. https://github.com/vmware/photon/blob/master/SPECS/linux/0001-NOWRITEEXEC-and-PAX-features-MPROTECT-EMUTRAMP.patch https://github.com/vmware/photon/blob/master/SPECS/linux/0002-Added-PAX_RANDKSTACK.patch https://github.com/vmware/photon/blob/master/SPECS/linux/0003-Added-rap_plugin.patch It could be a good idea to include these in linux-hardened. I'm not able...
Implements parts of the new lockdown LSM that we need as the actual LSM is not available in LTS kernels. This does not implement things we already solve with our...
This isolates certain IPC resources.