The UbuntuHardened project separates the deployment of Proactive Security and intrusion prevention technologies in toolchain (userland) and kernel-level fields/areas.
In the kernel-level, security enhancements modify the kernel API in order to get rid of low-level protection techniques (ie. memory address space layout randomization), and provide fine-grained control over low-level operations.
Most important fields regarding security technologies are memory management protection and access control, thus, we focuse on technologies related with these.
PT_PAX_FLAGS or PT_GNU_STACK
ELF headers control the behavior of PaX in a per-binary/filoe basis. PaX supports its own set of markings, PT_PAX_FLAGS, and also Red Hat's PT_GNU_STACK, which is also supported by Red Hat's Exec Shield.
- PT_PAX_FLAGS requires binutils modifications to emmit this header.
- PT_GNU_STACK should already be available on binaries in Ubuntu
- Used by PaX softmode, unmarked binaries will be unprotected (good for compatibility)
- Many apps that require executable stack already emmit disable flags for PT_GNU_STACK
- Legacy Flags
- Binaries can be flagged with neither of these ELF headers using chpax
- This is a (deprecated) hack
Security-Enhanced development and deployment is documented in it's own wiki page, SELinux.
grSecurity is being deployed in the way of split up patches, but it can be used in tandem with SELinux, among PAX. Anyways, only one security model, either grSecurity RBAC or SELinux MAC (TE & RBAC also), can be used.