grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. It allows the system administrator to, among other things, define a least privilege policy for the system, in which every process and user have only the lowest privileges needed to function.

This book is intended as a comprehensive up-to-date user guide about setting up and administrating a grsecurity-enabled system.

Table of Contents edit

Introduction edit

Overview  
Terminology  
How to Contribute  

Installation edit

Obtaining Required Components  
Downloading grsecurity
Downloading gradm
Downloading the Linux Kernel
Verifying the Downloads
Configuring and Installing grsecurity  
Patching Your Kernel with grsecurity
Configuring the Kernel
Compiling and Installing the Kernel

Administration edit

The Administration Utility (gradm)  
Installation
Usage
Learning Mode
Additional Utilities  
Controlling PaX Flags (paxctl)
Displaying Program Capabilities (pspax)
Managing the Executable Stack of Binaries (execstack)
Runtime Configuration Through sysctl  
Troubleshooting

Policy Configuration edit

The RBAC System in grsecurity  
What Is an RBAC System?
Limitations of any Access Control System  
Policy Structure  
Rules for Policies  
Roles  
Subjects  
Domains  
Capability Restrictions  
Resource Restrictions  
Socket Policies  
PaX Flags  
Flow of Matches  
Policy Recommendations  
Sample Policies  

Application-specific Settings edit

Show full list / Add Application
ATI Catalyst (fglrx)
cPanel jailshell
Firefox/Iceweasel
Google Chrome
Grub
GUFW/UFW firewalls or Update Manager
IOQuake3
ISC DHCP Server
Java
Nagios
Node.js
Openoffice.org
PHP and other applications that set their own resource limits
X.org

Reporting Bugs edit

Reporting bugs  
Contacts
Requirements

Appendix edit

Lists edit

Grsecurity and PaX Configuration Options  

Tables edit

Role Modes  
Role Attributes  
Subject Modes  
Subject Attributes  
Object Modes  
PaX Flags  
Capability Names and Descriptions  
System Resources  
Sysctl Options  

Credits and Permissions edit

See Credits and Permissions for details about copyright and references of this document.

External Links edit