Skip to content

Out of scope features

Jump to bottom
Daniel Micay edited this page Apr 26, 2018 · 19 revisions

In general, the following classes of features are considered out-of-scope:

  • Features already provided by the core kernel, SELinux or Yama in an adequate way

Specifically:

  • grsecurity RBAC (SELinux works well and is more flexible / powerful, at the expense of being more complex and harder to learn)
  • architecture-specific features outside of x86_64 and arm64 (either legacy or too niche)
  • KERNEXEC/UDEREF for pre-Broadwell x86_64 CPUs (legacy)
  • GRKERNSEC_SETXID (niche)
  • GRKERNSEC_DMESG (kernel.dmesg_restrict)
  • GRKERNSEC_HARDEN_PTRACE (kernel.yama.ptrace_scope)
  • GRKERNSEC_HARDEN_TTY (can make ioctl whitelists with SELinux)
  • GRKERNSEC_KSTACKOVERFLOW (VMAP_STACK)
  • GRKERNSEC_LINK (protected_hardlinks/protected_symlinks)
  • PAX_EMUTRAMP (legacy)
  • PAX_MPROTECT_COMPAT (legacy)
  • PAX_ELFRELOCS (legacy)
  • PAX_ETEXECRELOCS (legacy)
  • PAX_EMUPLT (legacy)
  • PAX_DLRESOLVE (legacy)
  • PAX_EI_PAX (legacy)
  • PAX_PT_PAX_FLAGS (legacy)
  • GRKERNSEC_PROC_USER (hidepid=2)
  • GRKERNSEC_PROC_USERGROUP (hidepid=2,gid=proc)
Clone this wiki locally