Feature List

From Linux Kernel Security Subsystem
Jump to: navigation, search

This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more!

Version Feature
v3.5 seccomp-bpf, x86
v3.7 PXN, arm64
v3.8 seccomp-bpf, arm
seccomp reported in /proc/$pid/status
finit_module syscall and LSM hook
v3.13 remove %n from printf
v3.14 ptdump, arm
kaslr, x86
modules ro/nx, arm
v3.15 seccomp-bpf, mips
module aslr, x86
v3.16 harden sysctl writing
v3.17 seccomp syscall and TSYNC
request_firmware LSM hook
v3.18 kernel memory W^X, x86
overlayfs v3.18
v3.19 kernel ro/nx, arm
modules ro/nx, arm64
ptdump, arm64
seccomp-bpf, arm64
PXN, arm
crypto- module prefixing
ecryptfs one-byte heap write fix
arm64 mmap ASLR fix
vdso ASLR fix, x86_64
vsyscall=none, x86_64
vdso ASLR, mips
v4.0 kernel ro/nx, arm64
stack ASLR fix
seccomp-bpf, RET_ERRNO capped to 4095
v4.1 kernel stack buffer overflow detection, mips
INET_DIAG cookies fixed
ET_DYN ASLR separate from mmap ASLR
v4.3 PAN emulation, arm
ambient capabilities
seccomp-bpf, powerpc
x86_32 direct socket calls
v4.4 vsyscall CONFIG
v4.5 ASLR entropy bits sysctl
v4.6 KASLR, arm64
RODATA on by default, arm64
RODATA on by default, arm (ARMv7+)
RODATA mandatory, x86
v4.7 LoadPin LSM
SLAB freelist ASLR
brk ASLR weakness fixed, arm64 compat
eBPF JIT blinding
v4.8 SLUB freelist ASLR
KASLR text phys/virt split, x86_64
KASLR memory, x86_64
gcc-plugin infrastructure
fix _etext, arm
fix _etext, arm64
KASLR with hibernation, x86
seccomp vs ptrace fixed
NX stack and heap, mips
v4.9 latent_entropy plugin
vmap stack, x86
thread_info in task_struct, x86
random_page() cleanup
RODATA mandatory, arm64
user_ns restrictions
v4.10 CONFIG_DEBUG_LIST hardening
PAN emulation, arm64 v8.0
thread_info in task-struct, arm64
get_user zeroing fix, arm
report nnp
seed RNG from UEFI