Grsecurity is a set of unrelated security patches for Linux kernel. Each patch deals with a specific aspect of system security, such as prevention of arbitrary code execution and chroot hardening, to name just a few. All these patches put together form an extensive security system integrated directly into the Linux kernel. The system is much easier to use than SELinux or AppArmor. Once installed and configured, the user can forget about it, as it requires little or no maintenance. This makes Grsecurity ideal for desktops.
Firejail is supported on Grsecurity systems. Most of the time, it works exactly the same way it works on regular systems. Curently, –chroot and –overlay command line options are not supported.
We follow Grsecurity development in Debian. Grsecurity is available to Debian users from jessie-backports, testing or sid repositories. The install commands are:
$ sudo apt-get install linux-image-4.4.0-1-grsec-amd64 $ sudo apt-get install linux-headers-4.4.0-1-grsec-amd64
Grsecurity can also be installed manually, the process is described in Grsecurity Wikibook. We keep in our GitHub repository the kernel configuration used in Debian build, and sysctl runtime configuration (/etc/sysctl.d/grsec.conf).
(on Debian systems) $ sudo paxctl -c /usr/lib/iceweasel/iceweasel $ sudo paxctl -m /usr/lib/iceweasel/iceweasel $ sudo paxctl -c /usr/lib/iceweasel/plugin-container $ sudo paxctl -m /usr/lib/iceweasel/plugin-container (on other Linux systems) $ sudo paxctl -c /usr/lib/firefox/firefox $ sudo paxctl -m /usr/lib/firefox/firefox $ sudo paxctl -c /usr/lib/firefox/plugin-container $ sudo paxctl -m /usr/lib/firefox/plugin-container