Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create documentation describing Linux kernel security options #69

Open
a13xp0p0v opened this issue Jul 4, 2022 · 8 comments
Open

Create documentation describing Linux kernel security options #69

a13xp0p0v opened this issue Jul 4, 2022 · 8 comments
Labels
new_feature A new feature of the tool

Comments

@a13xp0p0v
Copy link
Owner

No description provided.

@a13xp0p0v a13xp0p0v added the new_feature A new feature of the tool label Jul 4, 2022
@o8opi
Copy link
Contributor

o8opi commented Apr 9, 2023

Would love to see this, even if it's just a list of links and pointers to other resources :)

@krishjainx
Copy link
Contributor

krishjainx commented Mar 14, 2024

@a13xp0p0v @o8opi Are you looking for something like this? https://www.kernelconfig.io/CONFIG_BUG

The general form is https://www.kernelconfig.io/**CONFIG_NAME**

@jbmaillet
Copy link

@a13xp0p0v
Copy link
Owner Author

@krishjainx, @jbmaillet, yes, I mean creating the documentation describing how the checked parameters influence Linux kernel security.

Another good example is CLIP OS documentation: https://docs.clip-os.org/clipos/kernel.html#configuration

I think of creating doc directory with markdown files describing Kconfig options, kernel cmdline arguments, and sysctl parameters.

@krishjainx
Copy link
Contributor

@a13xp0p0v That sounds like a great idea! That's a lot of checked parameters, however, we should try to automate it so we can do it at scale. What do you think? There's reliable kernel documentation out there we could parse?

@a13xp0p0v
Copy link
Owner Author

@krishjainx , yes, some part of this work can be automated.

For self_protection, security_policy, and harden_userspace parameters, the Kconfig descriptions and kernel documentation contain some security-relevant info.
Example: https://cateee.net/lkddb/web-lkddb/CFI_CLANG.html

But for cut_attack_surface parameters, the kernel documentation doesn't say much about the security implications.

@jvoisin
Copy link
Contributor

jvoisin commented Apr 15, 2024

But for cut_attack_surface parameters, the kernel documentation doesn't say much about the security implications.

I think it would make sense to add some info upstream in the Kconfig description. Ideally we should be able to run a glorified grep on the Kconfig and generate proper documentation.

@jo-so
Copy link

jo-so commented Jan 11, 2025

There is also Linux Hardening Guide | Madaidan's Insecurities which describes options like hidepid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
new_feature A new feature of the tool
Projects
None yet
Development

No branches or pull requests

6 participants