Difference between revisions of "Feature List"
Jump to navigation
Jump to search
(catch up) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 70: | Line 70: | ||
| arm64 mmap ASLR fix | | arm64 mmap ASLR fix | ||
|- | |- | ||
| vdso ASLR fix | | vdso ASLR fix, x86_64 | ||
|- | |- | ||
| vsyscall=none, x86_64 | | vsyscall=none, x86_64 | ||
Line 104: | Line 104: | ||
| v4.5 | | v4.5 | ||
| ASLR entropy bits sysctl | | ASLR entropy bits sysctl | ||
|- | |||
|rowspan="4"| v4.6 | |||
| KASLR, arm64 | |||
|- | |||
| RODATA on by default, arm64 | |||
|- | |||
| RODATA on by default, arm (ARMv7+) | |||
|- | |||
| RODATA mandatory, x86 | |||
|- | |||
|rowspan="5"| v4.7 | |||
| LoadPin LSM | |||
|- | |||
| KASLR text, MIPS | |||
|- | |||
| SLAB freelist ASLR | |||
|- | |||
| brk ASLR weakness fixed, arm64 compat | |||
|- | |||
| eBPF JIT blinding | |||
|- | |||
|rowspan="11"| v4.8 | |||
| SLUB freelist ASLR | |||
|- | |||
| KASLR text phys/virt split, x86_64 | |||
|- | |||
| KASLR memory, x86_64 | |||
|- | |||
| gcc-plugin infrastructure | |||
|- | |||
| fix _etext, arm | |||
|- | |||
| fix _etext, arm64 | |||
|- | |||
| HARDENED_USERCOPY lkdtm tests | |||
|- | |||
| KASLR with hibernation, x86 | |||
|- | |||
| seccomp vs ptrace fixed | |||
|- | |||
| HARDENED_USERCOPY | |||
|- | |||
| NX stack and heap, mips | |||
|- | |||
|rowspan="6"| v4.9 | |||
| latent_entropy plugin | |||
|- | |||
| vmap stack, x86 | |||
|- | |||
| thread_info in task_struct, x86 | |||
|- | |||
| random_page() cleanup | |||
|- | |||
| RODATA mandatory, arm64 | |||
|- | |||
| user_ns restrictions | |||
|- | |||
|rowspan="7"| v4.10 | |||
| CONFIG_DEBUG_LIST hardening | |||
|- | |||
| PAN emulation, arm64 v8.0 | |||
|- | |||
| thread_info in task-struct, arm64 | |||
|- | |||
| get_user zeroing fix, arm | |||
|- | |||
| report nnp | |||
|- | |||
| seed RNG from UEFI | |||
|- | |||
| CONFIG_DEBUG_WX, arm64 | |||
|- | |- | ||
|} | |} |
Latest revision as of 23:02, 26 April 2017
This is a list of various interesting security features since v3.4 and when they were introduced in the upstream kernel. Feel free to add anything more!
Version | Feature |
---|---|
v3.5 | seccomp-bpf, x86 |
v3.7 | PXN, arm64 |
v3.8 | seccomp-bpf, arm |
seccomp reported in /proc/$pid/status | |
finit_module syscall and LSM hook | |
v3.13 | remove %n from printf |
v3.14 | ptdump, arm |
kaslr, x86 | |
modules ro/nx, arm | |
stack-protector-strong | |
kexec_load_disabled | |
v3.15 | seccomp-bpf, mips |
lkdtm WRITE_KERN | |
module aslr, x86 | |
v3.16 | harden sysctl writing |
v3.17 | seccomp syscall and TSYNC |
request_firmware LSM hook | |
v3.18 | kernel memory W^X, x86 |
overlayfs v3.18 | |
v3.19 | kernel ro/nx, arm |
modules ro/nx, arm64 | |
ptdump, arm64 | |
seccomp-bpf, arm64 | |
PXN, arm | |
crypto- module prefixing | |
ecryptfs one-byte heap write fix | |
arm64 mmap ASLR fix | |
vdso ASLR fix, x86_64 | |
vsyscall=none, x86_64 | |
vdso ASLR, mips | |
v4.0 | kernel ro/nx, arm64 |
stack ASLR fix | |
seccomp-bpf, RET_ERRNO capped to 4095 | |
v4.1 | kernel stack buffer overflow detection, mips |
INET_DIAG cookies fixed | |
ET_DYN ASLR separate from mmap ASLR | |
v4.3 | PAN emulation, arm |
ambient capabilities | |
seccomp-bpf, powerpc | |
x86_32 direct socket calls | |
v4.4 | vsyscall CONFIG |
v4.5 | ASLR entropy bits sysctl |
v4.6 | KASLR, arm64 |
RODATA on by default, arm64 | |
RODATA on by default, arm (ARMv7+) | |
RODATA mandatory, x86 | |
v4.7 | LoadPin LSM |
KASLR text, MIPS | |
SLAB freelist ASLR | |
brk ASLR weakness fixed, arm64 compat | |
eBPF JIT blinding | |
v4.8 | SLUB freelist ASLR |
KASLR text phys/virt split, x86_64 | |
KASLR memory, x86_64 | |
gcc-plugin infrastructure | |
fix _etext, arm | |
fix _etext, arm64 | |
HARDENED_USERCOPY lkdtm tests | |
KASLR with hibernation, x86 | |
seccomp vs ptrace fixed | |
HARDENED_USERCOPY | |
NX stack and heap, mips | |
v4.9 | latent_entropy plugin |
vmap stack, x86 | |
thread_info in task_struct, x86 | |
random_page() cleanup | |
RODATA mandatory, arm64 | |
user_ns restrictions | |
v4.10 | CONFIG_DEBUG_LIST hardening |
PAN emulation, arm64 v8.0 | |
thread_info in task-struct, arm64 | |
get_user zeroing fix, arm | |
report nnp | |
seed RNG from UEFI | |
CONFIG_DEBUG_WX, arm64 |