Ubuntu

Kernel Hardening

Registered by Kees Cook on 2010-10-21

DIscussion options for further kernel hardening in the Natty kernel.

Blueprint information

Status:: Started

Approver:: Tim Gardner

Priority:: Medium

Drafter:: Kees Cook

Direction:: Approved

Assignee:: Kees Cook

Definition:: Discussion

Series goal:: Accepted for oneiric

Implementation:: Good progress

Milestone target:: ubuntu-11.10

Started by: Kees Cook on 2011-01-14

Related branches

Related bugs

Sprints

uds-n

Whiteboard

- PaX and grsecurity topic branch
- aggressive read-only markings
- copy_*_user() hardening
- -Wextra
- UDEREF (10% performance hit)

Work items:
[kees] finish audit of copy_from_user callers: POSTPONED
[kees] constification hunting: POSTPONED
[kees] __read_only section and markings from grsecurity: POSTPONED
[kees] copy_*_user() hardening from grsecurity: POSTPONED
[kees] automatic mainline+grsecurity+AA+Yama PPA: POSTPONED

Natty work items:
[kees] XD_DISABLE BIOS unfiltering patches: DONE
[kees] module RO/NX patches: DONE
[kees] restore kallsyms patch: DONE
[kees] block rare net module autoloading: DONE
[kees] bundle up and apply drosenbe's /proc/net leak patch: DONE

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Andy Whitcroft

Charles Profitt

Dave Russell

Evan Broder

Jamie Strandboge

Johan Kiviniemi

Kees Cook

LaMont Jones

Marc Deslauriers

Martin Bogomolni

Micah Gersten

Steve Beattie

Tim Gardner

Tobias Bradtke