Overview of security features

This page provides a high-level overview of the security features in Ubuntu, their default configurations and rationale for having them enabled or disabled.

area

feature

20.04 LTS

22.04 LTS

24.04 LTS

24.10

25.04

Privilege restriction

AppArmor

2.13.3

3.0.4

3.0.7

3.0.7

3.0.7

Privilege restriction

AppArmor unprivileged user namespace restrictions

kernel & userspace

kernel & userspace

kernel & userspace

Privilege restriction

SELinux

universe

universe

universe

universe

universe

Privilege restriction

SMACK

kernel

kernel

kernel

kernel

kernel

Privilege restriction

PR_SET_SECCOMP

kernel

kernel

kernel

kernel

kernel

Privilege restriction

Seccomp Filtering

kernel

kernel

kernel

kernel

kernel

Privilege restriction

Filesystem Capabilities

kernel & userspace (default on server)

kernel & userspace (default on server)

kernel & userspace (default on server)

kernel & userspace (default on server)

kernel & userspace (default on server)

Storage and filesystem

Full disk encryption (FDE)

LUKS + TPM

LUKS + TPM

LUKS + TPM

LUKS + TPM

LUKS + TPM

Storage and filesystem

Encrypted LVM

main installer

main installer

main installer

main installer

main installer

Storage and filesystem

File Encryption

ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe

ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe

ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe

ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe

ZFS dataset encryption available, encrypted Home (eCryptfs) and ext4 encryption (fscrypt) available in universe

Network and firewalls

No Open Ports

policy

policy

policy

policy

policy

Network and firewalls

SYN Cookies

kernel & sysctl

kernel & sysctl

kernel & sysctl

kernel & sysctl

kernel & sysctl

Network and firewalls

Firewall

ufw

ufw

ufw

ufw

ufw

Cryptography

Password Hashing

sha512

yescrypt

yescrypt

yescrypt

yescrypt

Cryptography

Cloud PRNG Seed

pollinate

pollinate

pollinate

pollinate

pollinate

Cryptography

Disable Legacy TLS

policy

policy

policy

policy

policy

Process and memory protections

Symlink restrictions

kernel

kernel

kernel

kernel

kernel

Process and memory protections

Hardlink restrictions

kernel

kernel

kernel

kernel

kernel

Process and memory protections

FIFO restrictions

kernel & sysctl

kernel & sysctl

kernel & sysctl

kernel & sysctl

kernel & sysctl

Process and memory protections

Regular file restrictions

kernel & sysctl

kernel & sysctl

kernel & sysctl

kernel & sysctl

kernel & sysctl

Process and memory protections

Stack Protector

gcc patch

gcc patch

gcc patch

gcc patch

gcc patch

Process and memory protections

Heap Protector

glibc

glibc

glibc

glibc

glibc

Process and memory protections

Pointer Obfuscation

glibc

glibc

glibc

glibc

glibc

Process and memory protections

Stack ASLR

kernel

kernel

kernel

kernel

kernel

Process and memory protections

Libs/mmap ASLR

kernel

kernel

kernel

kernel

kernel

Process and memory protections

Exec ASLR

kernel

kernel

kernel

kernel

kernel

Process and memory protections

brk ASLR

kernel

kernel

kernel

kernel

kernel

Process and memory protections

vDSO ASLR

kernel

kernel

kernel

kernel

kernel

Process and memory protections

Built as PIE

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

Process and memory protections

Built with Fortify Source

gcc patch

gcc patch

gcc patch

gcc patch

gcc patch

Process and memory protections

Built with RELRO

gcc patch

gcc patch

gcc patch

gcc patch

gcc patch

Process and memory protections

Built with BIND_NOW

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

gcc patch (amd64, ppc64el, s390x), package list for others

Process and memory protections

Built with -fstack-clash-protection

gcc patch (i386, amd64, ppc64el, s390x)

gcc patch (i386, amd64, ppc64el, s390x)

gcc patch (i386, amd64, ppc64el, s390x)

gcc patch (i386, amd64, ppc64el, s390x)

gcc patch (i386, amd64, ppc64el, s390x)

Process and memory protections

Built with -fcf-protection

gcc patch (i386, amd64)

gcc patch (i386, amd64)

gcc patch (i386, amd64)

gcc patch (i386, amd64)

gcc patch (i386, amd64)

Process and memory protections

Non-Executable Memory

PAE, ia32 partial-NX-emulation

PAE, ia32 partial-NX-emulation

PAE, ia32 partial-NX-emulation

PAE, ia32 partial-NX-emulation

PAE, ia32 partial-NX-emulation

Process and memory protections

/proc/$pid/maps protection

kernel

kernel

kernel

kernel

kernel

Process and memory protections

ptrace scope

kernel

kernel

kernel

kernel

kernel

Process and memory protections

0-address protection

kernel

kernel

kernel

kernel

kernel

Process and memory protections

/dev/mem protection

kernel

kernel

kernel

kernel

kernel

Kernel protections

Kernel Lockdown

integrity only, no confidentiality

integrity only, no confidentiality

integrity only, no confidentiality

integrity only, no confidentiality

integrity only, no confidentiality

Kernel protections

/dev/kmem disabled

kernel

kernel

kernel

kernel

kernel

Kernel protections

Block module loading

sysctl

sysctl

sysctl

sysctl

sysctl

Kernel protections

Read-only data sections

kernel

kernel

kernel

kernel

kernel

Kernel protections

Kernel Stack protector

kernel

kernel

kernel

kernel

kernel

Kernel protections

Module RO/NX

kernel

kernel

kernel

kernel

kernel

Kernel protections

Kernel Address Display Restriction

kernel

kernel

kernel

kernel

kernel

Kernel protections

Kernel Address Space Layout Randomisation

kernel (i386, amd64, arm64, and s390 only)

kernel (i386, amd64, arm64, and s390 only)

kernel (i386, amd64, arm64, and s390 only)

kernel (i386, amd64, arm64, and s390 only)

kernel (i386, amd64, arm64, and s390 only)

Kernel protections

Denylist Rare Protocols

kernel

kernel

kernel

kernel

kernel

Kernel protections

dmesg restrictions

sysctl

kernel

kernel

kernel

kernel

Kernel protections

Block kexec

sysctl

sysctl

sysctl

sysctl

sysctl

Platform protections

UEFI Secure Boot

amd64, kernel signature enforcement

amd64, kernel signature enforcement

amd64, kernel signature enforcement

amd64, kernel signature enforcement

amd64, kernel signature enforcement

Platform protections

usbguard

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

Platform protections

usbauth

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

Platform protections

bolt

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

Platform protections

thunderbolt-tools

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

kernel & userspace

Security updates

Livepatch

20.04 LTS Kernel

22.04 LTS Kernel

24.04 LTS Kernel

Additional Documentation