• Filesystem Hardening

    Chroot hardening

    grsecurity's chroot hardening automatically converts all uses of chroot into real jails with confinement levels equivalent to containers. Processes inside a chroot will not be able to create suid/sgid binaries, see or attack processes outside the chroot jail, mount filesystems, use sensitive capabilities, or modify UNIX domain sockets or shared memory created outside the chroot jail.

    Prevents users from tricking Apache into accessing other users' files

    If Apache is configured to allow following of symlinks, it is trivial in most webhosting configurations to force it to reveal sensitive data from other users' webroots. While Apache has a feature that aims to mitigate this risk, it suffers from an unsolvable Time-Of-Check/Time-Of-Use (TOCTOU) race condition. Grsecurity solves this problem by enforcing at the kernel-level that Apache can't follow symlinks owned by one user but pointing to the files of a different user.

    Eliminates side-channel attacks against admin terminals

    Demonstrating our ability to swiftly respond to new threats, this feature was developed the same day as Vladz' report on a side-channel attack against the /dev/ptmx device. While we immediately handled a more generalized form of the attack, as of over a year later, upstream Linux has still failed to prevent one of the two attack vectors explicitly listed in the original report.

    Provides Trusted Path Execution

    Trusted Path Execution (TPE) is an old and simple concept. It dates back to at least 1998 with route's Phrack 62 article linked below. The goal of TPE is to provide an easily-configurable and generally software compatible method of preventing unprivileged users from executing binaries they create. Grsecurity extends the idea of TPE a bit and resolves some vulnerabilities in the original design in the process (for instance, TPE is not bypassed via ld.so under grsecurity).

    Hide other users' processes for unprivileged users

    While the upstream kernel now provides a mount option for /proc to hide other unprivileged users' processes, grsecurity goes beyond this by hiding such information by default, hiding additional sources of sensitive information provided by the kernel in /proc, and hiding private network-related information of all users. Not only is the networking information a violation of the privacy of other users on the system, but it has also been useful in the past for TCP hijacking attacks.