security guide: fix table formatting

Signed-off-by: Marta Rybczynska <mrybczynska@syslinbit.com>

security guide: fix table formatting
Signed-off-by: Marta Rybczynska <mrybczynska@syslinbit.com>
2188c31d · Marta Rybczynska · 4e282acc · 2188c31d
Commit 2188c31d authored 2 years ago by Marta Rybczynska
--- a/security/guide.rst
+++ b/security/guide.rst
@@ -51,19 +51,17 @@ leaking data freed from memory, and accessing wrong memory zones.
 Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator.cfg``
 and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg``.
-```
+-------------------------------------+-------------+
-+---------------------------------+-------------+
+| Config option                       | Oniro state |
-| Config option                   | Oniro state |
+=====================================+=============+
-+=================================+=============+
+| ``CONFIG_SLAB_FREELIST_RANDOM``     | On          |
-| CONFIG_SLAB_FREELIST_RANDOM     | On          |
+| ``CONFIG_SLAB_FREELIST_HARDENED``   | On          |
-| CONFIG_SLAB_FREELIST_HARDENED   | On          |
+| ``CONFIG_SHUFFLE_PAGE_ALLOCATOR``   | On          |
-| CONFIG_SHUFFLE_PAGE_ALLOCATOR   | On          |
+| ``CONFIG_PAGE_POISONING``           | On          |
-| CONFIG_PAGE_POISONING           | On          |
+| ``CONFIG_PAGE_POISONING_NO_SANITY`` | On          |
-| CONFIG_PAGE_POISONING_NO_SANITY | On          |
+| ``CONFIG_PAGE_POISONING_ZERO``      | On          |
-| CONFIG_PAGE_POISONING_ZERO      | On          |
+| ``CONFIG_INIT_ON_ALLOC_DEFAULT_ON`` | On          |
-| CONFIG_INIT_ON_ALLOC_DEFAULT_ON | On          |
+-------------------------------------+-------------+
-+---------------------------------+-------------+
-```
 **CONFIG_SLAB_FREELIST_RANDOM=y**
@@ -150,15 +148,13 @@ Reducing Attack Surface
 The following options remove some obsolete or un-needed features, which could
 make attacks easier:
-```
+-------------------------------------+-------------+
-+---------------------------------+-------------+
+| Config option                       | Oniro state |
-| Config option                   | Oniro state |
+=====================================+=============+
-+=================================+=============+
+| ``CONFIG_COMPAT_BRK``               | Off         |
-| CONFIG_COMPAT_BRK               | Off         |
+| ``CONFIG_PROC_KCORE``               | Off         |
-| CONFIG_PROC_KCORE               | Off         |
+| ``CONFIG_BINFMT_MISC``              | Off         |
-| CONFIG_BINFMT_MISC              | Off         |
+-------------------------------------+-------------+
-+---------------------------------+-------------+
-```
 **Option: CONFIG_COMPAT_BRK is not set**
@@ -200,13 +196,11 @@ Dmesg Options
 Those options are related to the kernel log in ``dmesg``:
-```
+-------------------------------------+-------------+
-+---------------------------------+-------------+
+| Config option                       | Oniro state |
-| Config option                   | Oniro state |
+=====================================+=============+
-+=================================+=============+
+| ``CONFIG_SECURITY_DMESG_RESTRICT``  | On          |
-| CONFIG_SECURITY_DMESG_RESTRICT  | On          |
+-------------------------------------+-------------+
-+---------------------------------+-------------+
-```
 Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_dmesg.cfg``
@@ -225,13 +219,11 @@ Compiler-level Hardening
 Those options enable checks done by the compiler:
-```
+-------------------------------------+-------------+
-+---------------------------------+-------------+
+| Config option                       | Oniro state |
-| Config option                   | Oniro state |
+=====================================+=============+
-+=================================+=============+
+| ``CONFIG_FORTIFY_SOURCE``           | On          |
-| CONFIG_FORTIFY_SOURCE           | On          |
+-------------------------------------+-------------+
-+---------------------------------+-------------+
-```
 Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg``.
@@ -249,14 +241,12 @@ Memory Accesses
 With those options we disable the complete physical memory access and detect
 unsafe memory permissions:
-```
+----------------------------------+-------------+
-+-------------------------------+-------------+
+| Config option                    | Oniro state |
-| Config option                 | Oniro state |
+==================================+=============+
-+===============================+=============+
+| ``CONFIG_DEBUG_WX``              | On          |
-| CONFIG_DEBUG_WX               | On          |
+| ``CONFIG_DEVMEM``                | Off         |
-| CONFIG_DEVMEM                 | Off         |
+----------------------------------+-------------+
-+-------------------------------+-------------+
-```
 Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_memory.cfg``.
@@ -296,14 +286,12 @@ Copying from Userspace
 Those options add verification when copying potentially malicious data from
 the user space:
-```
+---------------------------------------+-------------+
-+-----------------------------------+-------------+
+| Config option                         | Oniro state |
-| Config option                     | Oniro state |
+=======================================+=============+
-+===================================+=============+
+| ``CONFIG_HARDENED_USERCOPY``          | On          |
-| CONFIG_HARDENED_USERCOPY          | On          |
+| ``CONFIG_HARDENED_USERCOPY_FALLBACK`` | Off         |
-| CONFIG_HARDENED_USERCOPY_FALLBACK | Off         |
+---------------------------------------+-------------+
-+-----------------------------------+-------------+
-```
 File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_usercopy.cfg``.
@@ -345,17 +333,15 @@ Data Validation
 With those options we add verification of the internal kernel data structures:
-```
+-------------------------------------+-------------+
-+---------------------------------+-------------+
+| Config option                       | Oniro state |
-| Config option                   | Oniro state |
+=====================================+=============+
-+=================================+=============+
+| ``CONFIG_DEBUG_NOTIFIERS``          | On          |
-| CONFIG_DEBUG_NOTIFIERS          | On          |
+| ``CONFIG_DEBUG_LIST``               | On          |
-| CONFIG_DEBUG_LIST               | On          |
+| ``CONFIG_DEBUG_SG``                 | On          |
-| CONFIG_DEBUG_SG                 | On          |
+| ``CONFIG_BUG_ON_DATA_CORRUPTION``   | On          |
-| CONFIG_BUG_ON_DATA_CORRUPTION   | On          |
+| ``CONFIG_SCHED_STACK_END_CHECK``    | On          |
-| CONFIG_SCHED_STACK_END_CHECK    | On          |
+-------------------------------------+-------------+
-+---------------------------------+-------------+
-```
 File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg``.