-
-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
initial commit of extracted grsecurity chroot hardening #1
Commits on May 3, 2017
-
enable CONFIG_PANIC_ON_OOPS by default
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for c607904 - Browse repository at this point
Copy the full SHA c607904View commit details -
enable CONFIG_DEBUG_LIST by default
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 313bc9a - Browse repository at this point
Copy the full SHA 313bc9aView commit details -
Configuration menu - View commit details
-
Copy full SHA for ae12fbf - Browse repository at this point
Copy the full SHA ae12fbfView commit details -
set kptr_restrict=2 by default
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for cdb398d - Browse repository at this point
Copy the full SHA cdb398dView commit details -
add __ro_after_init to slab_nomerge
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e32ea1a - Browse repository at this point
Copy the full SHA e32ea1aView commit details -
add a SLAB_HARDENED configuration option
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for b835fbc - Browse repository at this point
Copy the full SHA b835fbcView commit details -
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 8f36fe9 - Browse repository at this point
Copy the full SHA 8f36fe9View commit details -
add missing cache_from_obj !PageSlab check
Taken from PaX. Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for b238307 - Browse repository at this point
Copy the full SHA b238307View commit details -
real slab_equal_or_root check for !MEMCG_KMEM
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 133cc26 - Browse repository at this point
Copy the full SHA 133cc26View commit details -
bug on kmem_cache_free with the wrong cache
At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e45250a - Browse repository at this point
Copy the full SHA e45250aView commit details -
always perform cache_from_obj consistency checks
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 6e098ef - Browse repository at this point
Copy the full SHA 6e098efView commit details -
bug on !PageSlab && !PageCompound in ksize
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for eb54ce7 - Browse repository at this point
Copy the full SHA eb54ce7View commit details -
add kmalloc alloc_size attributes
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 6efe84c - Browse repository at this point
Copy the full SHA 6efe84cView commit details -
add vmalloc alloc_size attributes
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for d342da3 - Browse repository at this point
Copy the full SHA d342da3View commit details -
arm64: zero the leading stack canary byte
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e1f59d4 - Browse repository at this point
Copy the full SHA e1f59d4View commit details -
x86_64: zero the leading stack canary byte
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 624349a - Browse repository at this point
Copy the full SHA 624349aView commit details -
use get_random_long for the per-task stack canary
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 0926d3f - Browse repository at this point
Copy the full SHA 0926d3fView commit details -
zero leading per-task stack canary byte on 64-bit
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for daaf36f - Browse repository at this point
Copy the full SHA daaf36fView commit details -
add slub free list XOR encryption
Based on the grsecurity feature, but with a per-cache random value. Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e1d4586 - Browse repository at this point
Copy the full SHA e1d4586View commit details -
add fortified string.h functions
GNU C __builtin_*_chk intrinsics are avoided because they're only designed to detect write overflows and are overly complex. A single inline branch works for everything but strncat while those intrinsics would force the creation of a bunch of extra non-inline wrappers that aren't able to receive the detected source buffer size. As a future improvement, the fortified string functions can place a limit on reads from the source. Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 7048d1b - Browse repository at this point
Copy the full SHA 7048d1bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 4764563 - Browse repository at this point
Copy the full SHA 4764563View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7a841c1 - Browse repository at this point
Copy the full SHA 7a841c1View commit details -
Configuration menu - View commit details
-
Copy full SHA for 46e3c06 - Browse repository at this point
Copy the full SHA 46e3c06View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9e2e0bd - Browse repository at this point
Copy the full SHA 9e2e0bdView commit details -
Configuration menu - View commit details
-
Copy full SHA for 3222859 - Browse repository at this point
Copy the full SHA 3222859View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0638b18 - Browse repository at this point
Copy the full SHA 0638b18View commit details -
Configuration menu - View commit details
-
Copy full SHA for 81f5f22 - Browse repository at this point
Copy the full SHA 81f5f22View commit details -
Configuration menu - View commit details
-
Copy full SHA for bfe45e0 - Browse repository at this point
Copy the full SHA bfe45e0View commit details
Commits on May 4, 2017
-
add basic full slab sanitization
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e20aada - Browse repository at this point
Copy the full SHA e20aadaView commit details -
slub: add multi-purpose random canaries
From the configuration option: Place canaries at the end of kernel slab allocations, sacrificing some performance and memory usage for security. Canaries can detect some forms of heap corruption when allocations are freed and as part of the HARDENED_USERCOPY feature. It provides basic use-after-free detection for HARDENED_USERCOPY. Canaries absorb small overflows (rendering them harmless), mitigate non-NUL terminated C string overflows on 64-bit via a guaranteed zero byte and provide basic double-free detection. Signed-off-by: Daniel Micay <danielmicay@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for c8e0e67 - Browse repository at this point
Copy the full SHA c8e0e67View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7538062 - Browse repository at this point
Copy the full SHA 7538062View commit details -
corrected error from a squash merge, left GRKERNSEC and grsec_, inste…
…ad of replacing them with new equivalents
Configuration menu - View commit details
-
Copy full SHA for b5d9315 - Browse repository at this point
Copy the full SHA b5d9315View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5e51c71 - Browse repository at this point
Copy the full SHA 5e51c71View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8e43a35 - Browse repository at this point
Copy the full SHA 8e43a35View commit details