mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-10-31 03:40:16 +00:00
22 lines
1.0 KiB
Markdown
22 lines
1.0 KiB
Markdown
# Kernel Self Protection Project (KSPP)
|
|
|
|
The [Kernel Self Protection Project](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project) is a community
|
|
effort to harden the upstream Linux kernel by eliminating classes of vulnerabilities.
|
|
|
|
Many similar protections have existed in other projects, but have yet to have been upstreamed. Since Moby is a consumer
|
|
of the Linux kernel and aims to be the most secure distro it can be, it is in our maintainers' best interests to collaborate
|
|
on upstream Linux security measures.
|
|
|
|
|
|
## Roadmap
|
|
|
|
**Near-term:**
|
|
- We've aligned our `kernel_config` and `sysctl` settings with the
|
|
[KSPP recommendations](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings) -
|
|
we should continue to track these
|
|
- Note: we check for these settings in our CI tests (see `check_kernel_config.sh`)
|
|
- @tych0 is working on KSPP patches, which are submitted to the [kernel hardening mailing list](http://www.openwall.com/lists/kernel-hardening/)
|
|
|
|
**Long-term:**
|
|
- Increase involvement in the project
|