kees · August 12, 2016 20:13
diff --git a/gistfile1.txt b/gistfile1.txt
 # grsecurity

 ## integrated

 - PERF_HARDEN - local kernel attack surface reduction, landed as perf_event_paranoid=3 by default in AOSP
 - DENYUSB - physical attack surface reduction, tied to screen lock state by default (setting exposes on, off, dynamic)
 * DEVICE_SIDECHANNEL - closes time-based sidechannels for device types

 ## wanted

 * PROC_MEMMAP - likely won't break anything
 * HIDESYM - have kptr_restrict, but this plugs additional holes (could just extract them)
 * RANDSTRUCT - Unique kernel per-device and also per-version means it wouldn't be useless, but it
  could be a lot more useful if there were different release channels per-device. Could rebuild
  only the kernel (very quick for Android) to save time, although incremental builds are sketchy.
 * KSTACKOVERFLOW
 * RWXMAP_LOG - in userdebug builds

 ## IDS-related

 Features that would likely be useful to a theoretical IDS but not otherwise since there's no
 system administrator to review logs and it's not particularly useful for debugging other than the
 RWXMAP_LOG feature.

 * all of the auditing features
 * PROC_IPADDR

 ## undecided

 * SETXID - would fix the issue in Android's libc, but only the base system uses this and it's
  unlikely that this would fix any vulnerabilities - unlike a traditional distribution
 * TPE - some functionality is covered by SELinux, but not all - the main issue is compatibility
 * BRUTE - Android doesn't use suid/sgid binaries, might be useful for Chromium but could be implemented there
 * NO_SIMULT_CONNECT
 * PTRACE_READEXEC
 * HARDEN_PTRACE - more than SELinux can do but new kernels have stackable ptrace_scope based on it
 * FIFO - not sure if Android apps can even use FIFOs, should investigate this
 * HARDEN_TTY

 ## leaning against

 * socket groups - Android already has a similar kernel feature for the network permission
 * all of the chroot hardening features - Android doesn't use chroots for anything
 * SYMLINKOWN - not really any use case where it wouldn't break everything
 * KMEM - likely redundant due to SELinux
 * IO - likely redundant due to SELinux
 * RAND_THREADSTACK - similar mitigation can be done in libc, although the signal can be handled

 ## incompatible and/or unnecessary

 * KERN_LOCKOUT - Android uses panic_on_oops
 * RBAC - not currently flexible enough, and Android is far too heavily invested in SELinux already
 * JIT_HARDEN - not ever going to be enabling the BPF JIT engine
 * MODHARDEN - Nexus devices do not use kernel modules
 * DMESG - implemented via dmesg_restrict and SELinux already
 * LINK - available via fs.protected_{hardlinks,symlinks}
 * BLACKHOLE - netfilter is always used anyway
 * SYSFS_RESTRICT - not flexible enough, and the SELinux policy for /sys is already very strict
 * PROC, PROC_{USER,USERGROUP}, PROC_ADD - already have hidepid and SELinux for this
 * HARDEN_IPC - Android doesn't enable System V IPC
 * VM86 - not going to be supporting any 32-bit x86 devices, or really any more 32-bit devices at all
 * ROFS - would be incompatible with external storage, and wouldn't provide much value since mount
  access is extremely limited while the kernel attack surface is huge
 * PROC_ADD - can use SELinux for finer-grained control:
    - buddyinfo
    - bus
    - bus/pci
    - kcore
    - cmdline
    - devices
    - interrupts - done
    - stat - done
    - config.gz - not present
    - ioports
    - iomem
    - sched_debug
    - timer_list - done
    - timer_stats - done
    - slabinfo
    - vmstat
    - pagetypeinfo

 # PaX

 * NOEXEC - not really meaningful anymore
 * PAGEEXEC - minor security benefits outside i386 (no signal handler call for NX violations)
 * SEGMEXEC - not relevant outside i386
 * EMUTRAMP - not needed
 * EMUSIGRT - not needed
 * MPROTECT - needs to be ported to AArch64
 * MPROTECT_COMPAT - not needed
 * ELFRELOCS - not needed
 * ETEXECRELOCS - not needed
 * EMUPLT - not needed
 * DLRESOLVE - not needed
 * KERNEXEC - needs to be ported to AArch64 (can use PXN)
 * ASLR
 * RANDKSTACK - needs to be ported to ARM and AArch64
 * RANDUSTACK
 * RANDMMAP - needs to be ported to AArch64
 * MEMORY_SANITIZE
 * MEMORY_STACKLEAK
 * MEMORY_STRUCTLEAK
 * MEMORY_UDEREF - needs to be ported to AArch64 for ARMv8
 * REFCOUNT
 * CONSTIFY_PLUGIN
 * USERCOPY
 * SIZE_OVERFLOW
 * LATENT_ENTROPY - not really needed, already have hardware random number generators
 * RAP - needs to be ported to ARM and AArch64

 ## Changes without configuration names (incomplete)

 * PaX stack gap
	# grsecurity

	## integrated

	- PERF_HARDEN - local kernel attack surface reduction, landed as perf_event_paranoid=3 by default in AOSP
	- DENYUSB - physical attack surface reduction, tied to screen lock state by default (setting exposes on, off, dynamic)
	* DEVICE_SIDECHANNEL - closes time-based sidechannels for device types

	## wanted

	* PROC_MEMMAP - likely won't break anything
	* HIDESYM - have kptr_restrict, but this plugs additional holes (could just extract them)
	* RANDSTRUCT - Unique kernel per-device and also per-version means it wouldn't be useless, but it
	could be a lot more useful if there were different release channels per-device. Could rebuild
	only the kernel (very quick for Android) to save time, although incremental builds are sketchy.
	* KSTACKOVERFLOW
	* RWXMAP_LOG - in userdebug builds

	## IDS-related

	Features that would likely be useful to a theoretical IDS but not otherwise since there's no
	system administrator to review logs and it's not particularly useful for debugging other than the
	RWXMAP_LOG feature.

	* all of the auditing features
	* PROC_IPADDR

	## undecided

	* SETXID - would fix the issue in Android's libc, but only the base system uses this and it's
	unlikely that this would fix any vulnerabilities - unlike a traditional distribution
	* TPE - some functionality is covered by SELinux, but not all - the main issue is compatibility
	* BRUTE - Android doesn't use suid/sgid binaries, might be useful for Chromium but could be implemented there
	* NO_SIMULT_CONNECT
	* PTRACE_READEXEC
	* HARDEN_PTRACE - more than SELinux can do but new kernels have stackable ptrace_scope based on it
	* FIFO - not sure if Android apps can even use FIFOs, should investigate this
	* HARDEN_TTY

	## leaning against

	* socket groups - Android already has a similar kernel feature for the network permission
	* all of the chroot hardening features - Android doesn't use chroots for anything
	* SYMLINKOWN - not really any use case where it wouldn't break everything
	* KMEM - likely redundant due to SELinux
	* IO - likely redundant due to SELinux
	* RAND_THREADSTACK - similar mitigation can be done in libc, although the signal can be handled

	## incompatible and/or unnecessary

	* KERN_LOCKOUT - Android uses panic_on_oops
	* RBAC - not currently flexible enough, and Android is far too heavily invested in SELinux already
	* JIT_HARDEN - not ever going to be enabling the BPF JIT engine
	* MODHARDEN - Nexus devices do not use kernel modules
	* DMESG - implemented via dmesg_restrict and SELinux already
	* LINK - available via fs.protected_{hardlinks,symlinks}
	* BLACKHOLE - netfilter is always used anyway
	* SYSFS_RESTRICT - not flexible enough, and the SELinux policy for /sys is already very strict
	* PROC, PROC_{USER,USERGROUP}, PROC_ADD - already have hidepid and SELinux for this
	* HARDEN_IPC - Android doesn't enable System V IPC
	* VM86 - not going to be supporting any 32-bit x86 devices, or really any more 32-bit devices at all
	* ROFS - would be incompatible with external storage, and wouldn't provide much value since mount
	access is extremely limited while the kernel attack surface is huge
	* PROC_ADD - can use SELinux for finer-grained control:
	- buddyinfo
	- bus
	- bus/pci
	- kcore
	- cmdline
	- devices
	- interrupts - done
	- stat - done
	- config.gz - not present
	- ioports
	- iomem
	- sched_debug
	- timer_list - done
	- timer_stats - done
	- slabinfo
	- vmstat
	- pagetypeinfo

	# PaX

	* NOEXEC - not really meaningful anymore
	* PAGEEXEC - minor security benefits outside i386 (no signal handler call for NX violations)
	* SEGMEXEC - not relevant outside i386
	* EMUTRAMP - not needed
	* EMUSIGRT - not needed
	* MPROTECT - needs to be ported to AArch64
	* MPROTECT_COMPAT - not needed
	* ELFRELOCS - not needed
	* ETEXECRELOCS - not needed
	* EMUPLT - not needed
	* DLRESOLVE - not needed
	* KERNEXEC - needs to be ported to AArch64 (can use PXN)
	* ASLR
	* RANDKSTACK - needs to be ported to ARM and AArch64
	* RANDUSTACK
	* RANDMMAP - needs to be ported to AArch64
	* MEMORY_SANITIZE
	* MEMORY_STACKLEAK
	* MEMORY_STRUCTLEAK
	* MEMORY_UDEREF - needs to be ported to AArch64 for ARMv8
	* REFCOUNT
	* CONSTIFY_PLUGIN
	* USERCOPY
	* SIZE_OVERFLOW
	* LATENT_ENTROPY - not really needed, already have hardware random number generators
	* RAP - needs to be ported to ARM and AArch64

	## Changes without configuration names (incomplete)

	* PaX stack gap