- implementation of non-executable page protection mechanism
kNoX provides non-executable page protection mechanism into Linux kernel on i386 architectures. The implementation is very effective without impact on system performance, thus it seems to be the fastest of all available similiar solutions.
Non-executable page protection mechanism is an essential security feature of kNoX patch. However, it also provides some other extra features, mostly ripped from Openwall patch:
Destroying shared memory segments that are not in use by any process
Enforcing RLIMIT_NPROC on execve(2) system call
Special handling of fd 0, 1, and 2, assurance that these FDs are always open
Restricted /proc kernel interface
Restricted FIFOs in +t directories
Restricted links in +t directories
kNoX is run-time configurable via sysctl interface.
Currently, the only available version is destinated for 2.2.x kernels.
For more details refer to README file shipped with source tarball.