grsecurity

This release adds gradm bugfixes, more configurable learning heuristics,
automatic tty sniffing detection in the RBAC system, and fixes for
hidden file support.

Changes in this version include PaX updates, a new configuration file for full learning, updated learning heuristics, id transitions in learning, grlearn performance enhancements, significant RBAC performance enhancements, a new inheritance-based learning mode, a destruction of unused shared memory feature from Openwall, an option for sysctl that enables all grsecurity options at boot-time, policy statistics in gradm, and a hardlink object mode in the RBAC system. This version has been released for the 2.4.28 and 2.6.10 kernels.

This release includes PaX updates, chroot restriction fixes, RBAC fixes, a complete logging system rewrite, and dramatic memory and CPU usage improvements for learning analysis and policy auto-generation.

Domain support was added. Regex matching was
enhanced. Automatic exploit bruteforce deterrence
was added. Directories are included in RBAC
configuration. RBAC-contextual logging was added.
Memory usage was reduced. PaX was updated.
Bugfixes were made. An important security issue
that allowed protected processes in the RBAC
system to be killed has been resolved. gradm has
been updated to 2.0.1 for this release.

This release features role-based access control allowing user,
group, and special roles, role transition tables, IP-based roles,
non-root access to special roles, and special roles that require
no authentication. It supports finer-grained object permissions
as well as kernel interpretation of inheritance and globbed
objects. Full pathnames for the offending process and parent
process are included in all logs. It is able to produce least
privilege policies for the entire system with no configuration.