Difference between revisions of "Feature List"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
(initial dump of interesting features)
 
(catch up)
 
(3 intermediate revisions by the same user not shown)
Line 70: Line 70:
| arm64 mmap ASLR fix
| arm64 mmap ASLR fix
|-
|-
| vdso ASLR fix
| vdso ASLR fix, x86_64
|-
|-
| vsyscall=none, x86_64
| vsyscall=none, x86_64
Line 101: Line 101:
| v4.4
| v4.4
| vsyscall CONFIG
| vsyscall CONFIG
|-
| v4.5
| ASLR entropy bits sysctl
|-
|rowspan="4"| v4.6
| KASLR, arm64
|-
| RODATA on by default, arm64
|-
| RODATA on by default, arm (ARMv7+)
|-
| RODATA mandatory, x86
|-
|rowspan="5"| v4.7
| LoadPin LSM
|-
| KASLR text, MIPS
|-
| SLAB freelist ASLR
|-
| brk ASLR weakness fixed, arm64 compat
|-
| eBPF JIT blinding
|-
|rowspan="11"| v4.8
| SLUB freelist ASLR
|-
| KASLR text phys/virt split, x86_64
|-
| KASLR memory, x86_64
|-
| gcc-plugin infrastructure
|-
| fix _etext, arm
|-
| fix _etext, arm64
|-
| HARDENED_USERCOPY lkdtm tests
|-
| KASLR with hibernation, x86
|-
| seccomp vs ptrace fixed
|-
| HARDENED_USERCOPY
|-
| NX stack and heap, mips
|-
|rowspan="6"| v4.9
| latent_entropy plugin
|-
| vmap stack, x86
|-
| thread_info in task_struct, x86
|-
| random_page() cleanup
|-
| RODATA mandatory, arm64
|-
| user_ns restrictions
|-
|rowspan="7"| v4.10
| CONFIG_DEBUG_LIST hardening
|-
| PAN emulation, arm64 v8.0
|-
| thread_info in task-struct, arm64
|-
| get_user zeroing fix, arm
|-
| report nnp
|-
| seed RNG from UEFI
|-
| CONFIG_DEBUG_WX, arm64
|-
|-
|}
|}

Latest revision as of 23:02, 26 April 2017

This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more!


Version Feature
v3.5 seccomp-bpf, x86
v3.7 PXN, arm64
v3.8 seccomp-bpf, arm
seccomp reported in /proc/$pid/status
finit_module syscall and LSM hook
v3.13 remove %n from printf
v3.14 ptdump, arm
kaslr, x86
modules ro/nx, arm
stack-protector-strong
kexec_load_disabled
v3.15 seccomp-bpf, mips
lkdtm WRITE_KERN
module aslr, x86
v3.16 harden sysctl writing
v3.17 seccomp syscall and TSYNC
request_firmware LSM hook
v3.18 kernel memory W^X, x86
overlayfs v3.18
v3.19 kernel ro/nx, arm
modules ro/nx, arm64
ptdump, arm64
seccomp-bpf, arm64
PXN, arm
crypto- module prefixing
ecryptfs one-byte heap write fix
arm64 mmap ASLR fix
vdso ASLR fix, x86_64
vsyscall=none, x86_64
vdso ASLR, mips
v4.0 kernel ro/nx, arm64
stack ASLR fix
seccomp-bpf, RET_ERRNO capped to 4095
v4.1 kernel stack buffer overflow detection, mips
INET_DIAG cookies fixed
ET_DYN ASLR separate from mmap ASLR
v4.3 PAN emulation, arm
ambient capabilities
seccomp-bpf, powerpc
x86_32 direct socket calls
v4.4 vsyscall CONFIG
v4.5 ASLR entropy bits sysctl
v4.6 KASLR, arm64
RODATA on by default, arm64
RODATA on by default, arm (ARMv7+)
RODATA mandatory, x86
v4.7 LoadPin LSM
KASLR text, MIPS
SLAB freelist ASLR
brk ASLR weakness fixed, arm64 compat
eBPF JIT blinding
v4.8 SLUB freelist ASLR
KASLR text phys/virt split, x86_64
KASLR memory, x86_64
gcc-plugin infrastructure
fix _etext, arm
fix _etext, arm64
HARDENED_USERCOPY lkdtm tests
KASLR with hibernation, x86
seccomp vs ptrace fixed
HARDENED_USERCOPY
NX stack and heap, mips
v4.9 latent_entropy plugin
vmap stack, x86
thread_info in task_struct, x86
random_page() cleanup
RODATA mandatory, arm64
user_ns restrictions
v4.10 CONFIG_DEBUG_LIST hardening
PAN emulation, arm64 v8.0
thread_info in task-struct, arm64
get_user zeroing fix, arm
report nnp
seed RNG from UEFI
CONFIG_DEBUG_WX, arm64