			      Grsecurity features

   grsecurity 2.0 RBAC features
   _________________________________________________________________

   * Role-Based Access Control

   * User, group, and special roles

   * Role transition tables

   * IP-based roles

   * Non-root access to special roles

   * Special roles that require no authentication

   * Nested subjects

   * Variable support in configuration

   * And, or, and difference set operations on variables in configuration

   * Object mode that controls the creation of setuid and setgid files

   * Create and delete object modes

   * Kernel interpretation of inheritance

   * Real-time regular-expression resolution

   * Ability to deny ptraces to specific processes

   * User and group transition checking and enforcement on an inclusive
     or exclusive basis

   * /dev/grsec entry for kernel authentication and learning logs

   * Next-generation code that produces least-privilege policies for the
     entire system with no configuration

   * Full pathnames for offending process and parent process

   * RBAC status function for gradm

   * /proc/<pid>/ipaddr gives the remote address of the person who
     started a given process

   * All other features of grsecurity 1.9.x MAC system

   grsecurity 1.9.x MAC system features
   _________________________________________________________________

   * Process-based Mandatory Access Control

   * Secure policy enforcement

   * Supports read, write, append, execute, view, and read-only ptrace
     object permissions

   * Supports hide, protect, and override subject flags

   * Supports the PaX flags

   * Shared memory protection feature

   * Integrated local attack response on all alerts

   * Subject flag that ensures a process can never execute trojaned code

   * Intelligent learning mode that produces least-privilege ACLs with no
     configuration

   * Full-featured fine-grained auditing

   * Resource ACLs

   * Socket ACLs

   * File/process ACLs

   * Capabilities

   * Protection against exploit bruteforcing

   * /proc/pid filedescriptor/memory protection

   * ACLs can be placed on non-existent files/processes

   * ACL regeneration on subjects and objects

   * Administrative mode to use for regular sysadmin tasks

   * ACL system is resealed up admin logout

   * Globbing support on ACL objects

   * Configurable log suppression

   * Configurable process accounting

   * Human-readable configuration

   * Not filesystem dependent

   * Not architecture dependent

   * Scales well: supports as many ACLs as memory can handle

   * No runtime memory allocation

   * SMP safe

   * O(1) time efficiency for most operations

   * Include directive for specifying additional ACLs

   * Enable, disable, reload capabilities

   * Userspace option to test permissions on an ACL

   * Option to hide kernel processes

   Chroot restrictions
   _________________________________________________________________

   * No attaching shared memory outside of chroot

   * No kill outside of chroot

   * No ptrace outside of chroot (architecture independent)

   * No capget outside of chroot

   * No setpgid outside of chroot

   * No getpgid outside of chroot

   * No getsid outside of chroot

   * No sending of signals by fcntl outside of chroot

   * No viewing of any process outside of chroot, even if /proc is
     mounted

   * No mounting or remounting

   * No pivot_root

   * No double chroot

   * No fchdir out of chroot

   * Enforced chdir("/") upon chroot

   * No (f)chmod +s

   * No mknod

   * No sysctl writes

   * No raising of scheduler priority

   * No connecting to abstract unix domain sockets outside of chroot

   * Removal of harmful privileges via capabilities

   * Exec logging within chroot

   Address space modification protection
   _________________________________________________________________

   * PaX: Page-based implementation of non-executable user pages for
     i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc

   * PaX: Segmentation-based implementation of non-executable user pages
     for i386 with negligible performance hit

   * PaX: Segmentation-based implementation of non-executable KERNEL
     pages for i386

   * PaX: Mprotect restrictions prevent new code from entering a task

   * PaX: Randomization of stack and mmap base for i386, sparc, sparc64,
     alpha, parisc, amd64, ia64, ppc, and mips

   * PaX: Randomization of heap base for i386, sparc, sparc64, alpha,
     parisc, amd64, ia64, ppc, and mips

   * PaX: Randomization of executable base for i386, sparc, sparc64,
     alpha, parisc, amd64, ia64, and ppc

   * PaX: Randomization of kernel stack

   * PaX: Automatically emulate sigreturn trampolines (for libc5, glibc
     2.0, uClibc, Modula-3 compatibility)

   * PaX: No ELF .text relocations

   * PaX: Trampoline emulation (GCC and linux sigreturn)

   * PaX: PLT emulation for non-i386 archs

   * No kernel modification via /dev/mem, /dev/kmem, or /dev/port

   * Option to disable use of raw I/O

   * Removal of addresses from /proc/<pid>/[maps|stat]

   Auditing features
   _________________________________________________________________

   * Option to specify single group to audit

   * Exec logging with arguments

   * Denied resource logging

   * Chdir logging

   * Mount and unmount logging

   * IPC creation/removal logging

   * Signal logging

   * Failed fork logging

   * Time change logging

   Randomization features
   _________________________________________________________________

   * Larger entropy pools

   * Randomized TCP Initial Sequence Numbers

   * Randomized PIDs

   * Randomized IP IDs

   * Randomized TCP source ports

   * Randomized RPC XIDs

   Other features
   _________________________________________________________________

   * /proc restrictions that don't leak information about process owners

   * Symlink/hardlink restrictions to prevent /tmp races

   * FIFO restrictions

   * Dmesg(8) restriction

   * Enhanced implementation of Trusted Path Execution

   * GID-based socket restrictions

   * Nearly all options are sysctl-tunable, with a locking mechanism

   * All alerts and audits support a feature that logs the IP of the
     attacker with the log

   * Stream connections across unix domain sockets carry the attacker's
     IP with them

   * Detection of local connections: copies attacker's IP to the other
     task

   * Low, Medium, High, and Custom security levels

   * Tunable flood-time and burst for logging
