Base Kernel: 5.4 Kernel, GrapheneOS Linux-Hardened patch, Whonix configuration (including modern kernel security configurations).

Our additions:

1.Tirdad Patch:

Kernel patch for the Linux kernel to generate random TCP Initial Sequence Numbers for IPv4 TCP connections.
This prevents deanonimization using TCP ISN.


Author: 0xsirus

2.IPC Hardening patch:

kernel.harden_ipc sysctl that when enabled will deny access to overly-permissive IPC objects given the following criteria:

If the IPC object is world-accessible and the euid doesn't match that of the creator or current uid for the IPC object
If the IPC object is group-accessible and the egid doesn't match that of the creator or current gid for the IPC object

Based on GRKERNSEC_HARDEN_IPC.

Author: Madaidan

3.Perf-event Patch:

Disallows all access to perf events by all users, including root, when the kernel.perf_event_open sysctl is set to >69 to reduce attack surface.


Original Version Author: Madaidan

4.Modharden Patch:

Restricts module auto-loading to CAP_SYS_MODULE. 

Based on GRKERNSEC_MODHARDEN

Author: Madaidan

5.Additional Kernel Slimming:

Slimmed down the kernel by several hundred unnecesary modules and monolithic features to reduce attack surface.

6.Void Linux Build Process fixes (e.g. Removed module stripping because it breaks Module Signature Verification)