Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.freenode.net ##linux-hardened. Currently maintained at https://github.com/anthraxx/linux-hardened.
Ideally, out-of-line metadata like bitmaps would be used. However, progress can be made without any drastic changes particularly when canaries are enabled. It would be nice to have fast range-checking code, similar to the existing debug code but likely without the expensive % checking alignment or at least it should be micro-optimized. It also needs to check in more places than the debug code to have the full intended security value.
Ideally, out-of-line metadata like bitmaps would be used. However, progress can be made without any drastic changes particularly when canaries are enabled. It would be nice to have fast range-checking code, similar to the existing debug code but likely without the expensive
%checking alignment or at least it should be micro-optimized. It also needs to check in more places than the debug code to have the full intended security value.