[ubuntu-hardened] grsec chroot protections

Kees Cook kees at ubuntu.com
Tue Nov 16 20:39:41 GMT 2010

Hi Peter,

On Mon, Nov 15, 2010 at 01:52:13PM -0800, Peter Moody wrote:
> knowing that this might be a somewhat touchy subject and with my
> expectations set thusly, I wanted to ask about the possibility/feasibility
> of including some of (hopefully) more self-contained parts of the grsec
> patch-set in the (default) ubuntu kernel. Specifically I'm looking at the
> chroot protections. Is pulling something like this into the ubuntu kernel
> something that would be appropriate for ubuntu-hardened or is it an all or
> nothing (emphasis on nothing) sort of thing WRT the ubuntu kernel and grsec?

No worries, it's not touchy subject for us.

While grsecurity is a monolithic patch, it does have individual components
that can be extracted, especially the userspace hardening bits like
chroot restrictions. We've actually been working on trying to get bits
and pieces of grsecurity into Ubuntu and ultimately the upstream kernel
(since maintaining a delta from upstream results in constant work from
release to release). For some details on these "out of mainline security
protections" (not just grsec), see here:


Now, the downside is that the chroot restrictions were specifically skipped
because it seemed like the return on investment was low (i.e. upstream
doesn't want these changes for chroots, since they're more interested in
making containers work). That said, you can see the work I did in the above
link on extracting one of the protections.

If you're interested in extracting these pieces and trying to get them
into the mainline kernel, that'd be great. Recently Dan Rosenberg has had
some success with other grsecurity features (e.g. CONFIG_GRKERNSEC_DMESG).
So it's possible these things can go in, though in the chroot case, I think
making containers easier to use is a better direction -- lxc instead of


Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list