The following notable security features are implemented in UEK R4:
The physical and virtual address at which the kernel image is decompressed is randomized to deter exploit attempts that rely on knowing the location of the kernel internals.
The Kexec feature, which allows faster rebooting or automatically booting a new kernel after a crash, now incorporates support for allowing only signed Kexec kernels for use with UEFI secure booting.
The
kexec_load_disabled
sysctl
parameter can be used to disable Kexec, which allows a system to be better protected against privilege escalation.An
exe
field has been added to the auditing log to record the pathname of executables that produce core dumps.An
audit_backlog_wait_time
configuration option has been added to the auditing subsystem so that ifauditd
cannot keep up or is blocked, callers are not blocked.If the value of the audit_backlog_limit parameter is set to zero, the length of the backlog queue is limited only by the amount of system memory.
By default, errors on
AUDIT_NEVER
rules are now logged.The auditing subsystem now logs task information when the state of a feature is changed.
A netlink multicast socket has been added to read-only user-space clients such as
systemd
to allow read-only access to the audit logs.Secure generation of random numbers with the
getrandom
system call. Linux systems traditionally obtained their random numbers from /dev/[u]random
. This interface is vulnerable to file descriptor exhaustion attacks, where the attacker consumes all available file descriptors, and is also inconvenient for use in containers. Thegetrandom
system call, which analogous to thegetentropy
call in OpenBSD overcomes these problems.SELinux now reports permissive mode in
avc: denied
messages.