No team is ever going to be able to fully review and understand a project like Linux. It is beyond human understanding / capabilities. It's immensely complex without clear boundaries between different things. No one is even attempting to do any kind of full picture review of it.
Conversation
As I have said several times now, I do not think anyone stands a chance of fully reviewing or auditing the Linux kernel.
I do however see that as a placeholder while everything else gets stripped down.
I want the Linux kernel replaced with a microkernel.
1
It's not something that can simply be replaced with a drop-in replacement unless that includes running the Linux kernel on top of it or using gVisor which is what we are considering doing in the long term for GrapheneOS. You'll be building around how Linux and *nix works.
1
1
If app compat with an existing platform is a non-goal, it doesn't really fit. There are projects and companies developing devices meant to be secure in a much more meaningful way. I do not think it can be built on the Linux kernel, and definitely not any major Linux distribution.
2
1
You can get Linux way way more hardened than any Linux distro that exists today. An immutable squashfs statically compiled into the kernel to get a bare minimal mvp... Then port the user space to something even leaner. Gvisor etc may help for sure.
1
1
That's userspace hardening, not kernel hardening, and the kernel is by far the biggest issue even with a richly functional userspace like Android. Kernel vulnerabilities are the majority of the severe ones and are part of most real world attacks. It's the easiest way out of the
2
app sandbox or better sandboxes. It renders most of the OS security inconsequential once there's a decent application security model and other security features. It's not possible to really do much better while still having Linux as the weak link at the core of everything.
1
Particularly when each major release of Linux is making the issues substantially worse. It's not getting better. When you move from an older LTS to a newer one, you're getting massively increased complexity, massively increased attack surface, less understanding / review overall.
2
1
Each major kernel upgrade is a downgrade in terms of having something that could actually be made reasonable secure. Sure, they come with various new mitigations, but they're not game changing and are just trying to make an increasingly bad situation less bad. It's unworkable.
1
1
Software also depends more and more on this extended functionality / attack surface. If you're using mainstream software, rather than a fully custom userspace, you're increasingly locked into using Linux. Even switching to something like OpenBSD becomes less realistic over time.
2
Let alone moving away from using *nix with monolithic kernels. I really don't see how you build the kind of thing you're talking about out of something like this. If you start from the Linux kernel, you start with 80% of the same OS security / auditability issues anyway.
I hope for gvisor + a microkernel in the future. We will see