Kernel Hardening

Registered by Kees Cook on 2010-10-21

DIscussion options for further kernel hardening in the Natty kernel.

Blueprint information

Status:
Started
Approver:
Tim Gardner
Priority:
Medium
Drafter:
Kees Cook
Direction:
Approved
Assignee:
Kees Cook
Definition:
Discussion
Series goal:
Accepted for oneiric
Implementation:
Good progress
Milestone target:
milestone icon ubuntu-11.10
Started by
Kees Cook on 2011-01-14

Related branches

Sprints

Whiteboard

- PaX and grsecurity topic branch
- aggressive read-only markings
- copy_*_user() hardening
- -Wextra
- UDEREF (10% performance hit)

Work items:
[kees] finish audit of copy_from_user callers: POSTPONED
[kees] constification hunting: POSTPONED
[kees] __read_only section and markings from grsecurity: POSTPONED
[kees] copy_*_user() hardening from grsecurity: POSTPONED
[kees] automatic mainline+grsecurity+AA+Yama PPA: POSTPONED

Natty work items:
[kees] XD_DISABLE BIOS unfiltering patches: DONE
[kees] module RO/NX patches: DONE
[kees] restore kallsyms patch: DONE
[kees] block rare net module autoloading: DONE
[kees] bundle up and apply drosenbe's /proc/net leak patch: DONE

(?)

Work Items