Mastodawn

Show thread

grsecurity Mar 19

Preparatory patches: https://github.com/NVIDIA/open-gpu-kernel-modules/pull/1068

Full Kbuild support: https://github.com/NVIDIA/open-gpu-kernel-modules/pull/1069

#grsecurity compatibility: https://github.com/NVIDIA/open-gpu-kernel-modules/pull/1070

grsecurity Jan 28

Our 6.18 #grsecurity LTS release, to be supported through at least the end of 2028, is now available!

alip Jan 17

Lies, damned lies and #statistics: Literature shows it's statistically possible to infer a password from typing habits given access to a side channel which reveals access and/or modification time such as stat(2), fanotify(7) or inotify(7). #grsecurity prevents this with GRKERNSEC_DEVICE_SIDECHANNEL which #sydbox inherited with its Device Sidechannel Mitigations: https://man.exherbo.org/syd.7.html#Device_Sidechannel_Mitigations #exherbo #linux #security

SYD(7)

grsecurity Dec 4, 2025

6.18 has been selected as the next #grsecurity stable kernel version, to be supported through the end of 2028, one year longer than the upstream LTS EOL date of Dec 2027.

alip Aug 2, 2025

#sydbox 3.37.3 is released with Trusted Symbolic Links a la CONFIG_GRKERNSEC_LINK of #grsecurity: https://man.exherbo.org/syd.7.html#Trusted_Symbolic_Links #exherbo #security #linux

SYD(7)

grsecurity May 23, 2025

Nice demo: tested a vulnerable Ubuntu 22.04 system for glibc CVE-2025-4802 using Solar Designer's PoC adapted to Ubuntu (replace any occurrence of "myhostname" with "mdns4_minimal"). Even an old #grsecurity 5.4.96 kernel from February 8 2021 prevented exploitation

grsecurity Feb 19, 2025

We expect our 6.13 #grsecurity beta to be available within the next two weeks.

grsecurity Jan 16, 2025

Our 6.12 #grsecurity beta is now available to beta testers for testing

Mathias Krause Nov 4, 2024

Linux kernel hardening does not necessarily have to ruin performance. Quite the opposite is possible! One just has to address performance issues first and gets better security “for free” — sometimes vast performance improvements even!

Current example: BPF JIT handling. test_bpf.ko is a kernel module exercising various extreme and corner cases of BPF programs the kernel is supposed to handle just fine. However, under certain configurations it makes the kernel busy burn cycles without making real progress. Fixing that allowed us to implement security features in #grsecurity at all stages of the JIT process and basically get them for free. See for yourself…

…and yes, while waiting for insmod to finish on vanilla Linux, I fixed the tests and did a quick re-run on #grsecurity.

grsecurity Nov 4, 2024

Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!