The Kernel Self Protection Project is a community effort to harden the upstream Linux kernel by eliminating classes of vulnerabilities.
Many similar protections have existed in other projects, but have yet to have been upstreamed. Since Moby is a consumer of the Linux kernel and aims to be the most secure distro it can be, it is in our maintainers' best interests to collaborate on upstream Linux security measures.
Near-term:
- We've aligned our
kernel_config
andsysctl
settings with the KSPP recommendations - we should continue to track these- Note: we check for these settings in our CI tests (see
check_kernel_config.sh
)
- Note: we check for these settings in our CI tests (see
- @tych0 is working on KSPP patches, which are submitted to the kernel hardening mailing list
Long-term:
- Increase involvement in the project