World Library  
Flag as Inappropriate
Email this Article


Article Id: WHEBN0000882519
Reproduction Date:

Title: Grsecurity  
Author: World Heritage Encyclopedia
Language: English
Subject: Hardened Gentoo, Security-focused operating system, PaX, Address space layout randomization, Role-based access control
Collection: Linux Security Software, Operating System Security
Publisher: World Heritage Encyclopedia


Developer(s) Brad Spengler (Spender)
Stable release 3.1 for Linux Kernels 3.2.72 and 3.14.54
(15 October 2015)
Preview release 3.1 for Linux Kernel 4.2.3
(17 October 2015)
Operating system Linux
Platform Linux kernel
Type Security
License GPL v2[1]
Website .netgrsecurity

grsecurity is a set of patches for the Linux kernel which emphasizes security enhancements.[2] It is typically used by computer systems which accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users.


  • PaX 1
  • Role-based access control 2
  • Chroot restrictions 3
  • Miscellaneous features 4
  • See also 5
  • References 6
  • External links 7


A major component bundled with grsecurity is PaX. Among other features, the patch flags data memory, the stack, for example, as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to reduce the probability of attacks that rely on easily predicted memory addresses. PaX is not developed by the grsecurity developers. It is available in other Linux distributions such as Gentoo or IPFire, and directly from grsecurity.[3]

Role-based access control

Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what they can or cannot do, and these roles and restrictions form an access policy, which can be amended as needed.

A list of RBAC features:

  • Domain support for users and groups
  • Role transition tables
  • IP-based roles
  • Non-root access to special roles
  • Special roles that require no authentication
  • Nested subjects
  • Support for variables in the configuration
  • And, or, and difference set operations on variables in configuration
  • Object mode that controls the creation of setuid and setgid files
  • Create and delete object modes
  • Kernel interpretation of inheritance
  • Real-time regular expression resolution
  • Ability to deny ptraces to specific processes
  • User and group transition checking and enforcement on an inclusive or exclusive basis
  • /dev/grsec entry for kernel authentication and learning logs
  • Next-generation code that produces least-privilege policies for the entire system with no configuration
  • Policy statistics for gradm
  • Inheritance-based learning
  • Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
  • Full path names for offending process and parent process
  • RBAC status function for gradm
  • /proc//ipaddr gives the remote address of the person who started a given process
  • Secure policy enforcement
  • Supports read, write, append, execute, view, and read-only ptrace object permissions
  • Supports hide, protect, and override subject flags
  • Supports the PaX flags
  • Shared memory protection feature
  • Integrated local attack response on all alerts
  • Subject flag that ensures a process can never execute trojaned code
  • Full-featured, fine-grained auditing
  • Resource, socket, and capability support
  • Protection against exploit bruteforcing
  • /proc/pid filedescriptor/memory protection
  • Rules can be placed on non-existent files/processes
  • Policy regeneration on subjects and objects
  • Configurable log suppression
  • Configurable process accounting
  • Human-readable configuration
  • Not filesystem or architecture dependent
  • Scales well: supports as many policies as memory can handle with the same performance hit
  • No run-time memory allocation
  • SMP safe
  • O(1) time efficiency for most operations
  • Include directive for specifying additional policies
  • Enable, disable, reload capabilities
  • Option to hide kernel processes

Chroot restrictions

grsecurity restricts chroot in a variety of ways to prevent a variety of vulnerabilities and privilege escalation attacks, as well as to add additional checks.

Chroot Modifications:

  • No attaching shared memory outside of chroot
  • No kill outside of chroot
  • No ptrace outside of chroot (architecture independent)
  • No capget outside of chroot
  • No setpgid outside of chroot
  • No getpgid outside of chroot
  • No getsid outside of chroot
  • No sending of signals by fcntl outside of chroot
  • No viewing of any process outside of chroot, even if /proc is mounted
  • No mounting or remounting
  • No pivot_root
  • No double chroot
  • No fchdir out of chroot
  • Enforced chdir("/") upon chroot
  • No (f)chmod +s
  • No mknod
  • No sysctl writes
  • No raising of scheduler priority
  • No connecting to abstract unix domain sockets outside of chroot
  • Removal of harmful privileges via cap

Miscellaneous features

grsecurity also adds enhanced auditing to the Linux kernel. Among other things, it can be configured to audit a specific group of users, mounting/unmounting of devices, changes to the system time and date, and chdir logging. Some of the other audit types allow the administrator to also log denied resource attempts, failed fork attempts, IPC creation and removal, and exec logging together with its arguments.

Trusted path execution is another optional feature that can be used to prevent users from executing binaries not owned by the root user, or world-writable binaries. This is useful to prevent users from executing their own malicious binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user.

grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.

There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg and netstat commands to the root user.[4]

List of additional features and security improvements:

  • /proc restrictions that do not leak information about process owners
  • Symlink/hardlink restrictions to prevent /tmp races
  • FIFO restrictions
  • dmesg restriction
  • Enhanced implementation of trusted path execution
  • GID-based socket restrictions
  • Nearly all options are sysctl-tunable, with a locking mechanism
  • All alerts and audits support a feature that logs the IP address of the attacker with the log
  • Stream connections across Unix domain sockets carry the attacker's IP address with them (on 2.4 only)
  • Detection of local connections: copies attacker's IP address to the other task
  • Automatic deterrence of exploit brute-forcing
  • Low, medium, high, and custom security levels
  • Tunable flood-time and burst for logging

See also


  1. ^ grsecurity license
  2. ^ Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)
  3. ^ "Homepage of PaX". Retrieved 2010-08-12. 
  4. ^ "grsecurity". Retrieved 2010-08-12. 

External links

  • Official website
  • Academic Research Publications Mentioning grsecurity/PaX
  • The future for grsecurity,, January 7, 2009, by Jake Edge
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.