Backporting security features to LTS kernels

[madaidan]

Stable kernels have various security features that LTS kernels don't have such as lockdown, SafeSetID, page allocator freelist randomization, init_on_alloc etc. I think linux-hardened should backport/reimplement those security features in LTS kernels.

I can contribute many of these myself if you're interested. I've created some patches already.

This would be especially useful for Whonix's hardened-kernel as we're using LTS kernels for greater stability and less attack surface.

[hyder365]

5.11 rc out and hardened still hasn't caught up to 5.10.

What's the point of using a kernel patch / more secure configuration if it's left with security holes for so long and so often? 5.9 is EOL, and that's even worse, but it would still be vulnerable if it was "supported" upstream. We need to be on the latest kernel if we want the fixes.

[anthraxx]

There is a 5.10 branch for quite a while, you are free to easily use it to create your patch set file and also give feedback. However stop hijacking arbitrary threads.