Skip to content
Snippets Groups Projects

security guide: fix table formatting

Merged security guide: fix table formatting
mrybczyn/docs:docs/security-fix into main
All threads resolved!
Merged Marta Rybczynska requested to merge mrybczyn/docs:docs/security-fix into main
All threads resolved!
Viewing commit d529382b
Show latest version
1 file
+ 49
63
Compare changes
  • Side-by-side
  • Inline
security/guide.rst
+ 49
63
@@ -51,19 +51,17 @@ leaking data freed from memory, and accessing wrong memory zones.
@@ -51,19 +51,17 @@ leaking data freed from memory, and accessing wrong memory zones.
Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator.cfg``
Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator.cfg``
and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg``.
and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg``.
```
+-------------------------------------+-------------+
+---------------------------------+-------------+
| Config option | Oniro state |
| Config option | Oniro state |
+=====================================+=============+
+=================================+=============+
| ``CONFIG_SLAB_FREELIST_RANDOM`` | On |
| CONFIG_SLAB_FREELIST_RANDOM | On |
| ``CONFIG_SLAB_FREELIST_HARDENED`` | On |
| CONFIG_SLAB_FREELIST_HARDENED | On |
| ``CONFIG_SHUFFLE_PAGE_ALLOCATOR`` | On |
| CONFIG_SHUFFLE_PAGE_ALLOCATOR | On |
| ``CONFIG_PAGE_POISONING`` | On |
| CONFIG_PAGE_POISONING | On |
| ``CONFIG_PAGE_POISONING_NO_SANITY`` | On |
| CONFIG_PAGE_POISONING_NO_SANITY | On |
| ``CONFIG_PAGE_POISONING_ZERO`` | On |
| CONFIG_PAGE_POISONING_ZERO | On |
| ``CONFIG_INIT_ON_ALLOC_DEFAULT_ON`` | On |
| CONFIG_INIT_ON_ALLOC_DEFAULT_ON | On |
+-------------------------------------+-------------+
+---------------------------------+-------------+
```
**CONFIG_SLAB_FREELIST_RANDOM=y**
**CONFIG_SLAB_FREELIST_RANDOM=y**
@@ -150,15 +148,13 @@ Reducing Attack Surface
@@ -150,15 +148,13 @@ Reducing Attack Surface
The following options remove some obsolete or un-needed features, which could
The following options remove some obsolete or un-needed features, which could
make attacks easier:
make attacks easier:
```
+-------------------------------------+-------------+
+---------------------------------+-------------+
| Config option | Oniro state |
| Config option | Oniro state |
+=====================================+=============+
+=================================+=============+
| ``CONFIG_COMPAT_BRK`` | Off |
| CONFIG_COMPAT_BRK | Off |
| ``CONFIG_PROC_KCORE`` | Off |
| CONFIG_PROC_KCORE | Off |
| ``CONFIG_BINFMT_MISC`` | Off |
| CONFIG_BINFMT_MISC | Off |
+-------------------------------------+-------------+
+---------------------------------+-------------+
```
**Option: CONFIG_COMPAT_BRK is not set**
**Option: CONFIG_COMPAT_BRK is not set**
@@ -200,13 +196,11 @@ Dmesg Options
@@ -200,13 +196,11 @@ Dmesg Options
Those options are related to the kernel log in ``dmesg``:
Those options are related to the kernel log in ``dmesg``:
```
+-------------------------------------+-------------+
+---------------------------------+-------------+
| Config option | Oniro state |
| Config option | Oniro state |
+=====================================+=============+
+=================================+=============+
| ``CONFIG_SECURITY_DMESG_RESTRICT`` | On |
| CONFIG_SECURITY_DMESG_RESTRICT | On |
+-------------------------------------+-------------+
+---------------------------------+-------------+
```
Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_dmesg.cfg``
Source files: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_dmesg.cfg``
@@ -225,13 +219,11 @@ Compiler-level Hardening
@@ -225,13 +219,11 @@ Compiler-level Hardening
Those options enable checks done by the compiler:
Those options enable checks done by the compiler:
```
+-------------------------------------+-------------+
+---------------------------------+-------------+
| Config option | Oniro state |
| Config option | Oniro state |
+=====================================+=============+
+=================================+=============+
| ``CONFIG_FORTIFY_SOURCE`` | On |
| CONFIG_FORTIFY_SOURCE | On |
+-------------------------------------+-------------+
+---------------------------------+-------------+
```
Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg``.
Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg``.
@@ -249,14 +241,12 @@ Memory Accesses
@@ -249,14 +241,12 @@ Memory Accesses
With those options we disable the complete physical memory access and detect
With those options we disable the complete physical memory access and detect
unsafe memory permissions:
unsafe memory permissions:
```
+----------------------------------+-------------+
+-------------------------------+-------------+
| Config option | Oniro state |
| Config option | Oniro state |
+==================================+=============+
+===============================+=============+
| ``CONFIG_DEBUG_WX`` | On |
| CONFIG_DEBUG_WX | On |
| ``CONFIG_DEVMEM`` | Off |
| CONFIG_DEVMEM | Off |
+----------------------------------+-------------+
+-------------------------------+-------------+
```
Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_memory.cfg``.
Source file: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_memory.cfg``.
@@ -296,14 +286,12 @@ Copying from Userspace
@@ -296,14 +286,12 @@ Copying from Userspace
Those options add verification when copying potentially malicious data from
Those options add verification when copying potentially malicious data from
the user space:
the user space:
```
+---------------------------------------+-------------+
+-----------------------------------+-------------+
| Config option | Oniro state |
| Config option | Oniro state |
+=======================================+=============+
+===================================+=============+
| ``CONFIG_HARDENED_USERCOPY`` | On |
| CONFIG_HARDENED_USERCOPY | On |
| ``CONFIG_HARDENED_USERCOPY_FALLBACK`` | Off |
| CONFIG_HARDENED_USERCOPY_FALLBACK | Off |
+---------------------------------------+-------------+
+-----------------------------------+-------------+
```
File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_usercopy.cfg``.
File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_usercopy.cfg``.
@@ -345,17 +333,15 @@ Data Validation
@@ -345,17 +333,15 @@ Data Validation
With those options we add verification of the internal kernel data structures:
With those options we add verification of the internal kernel data structures:
```
+-------------------------------------+-------------+
+---------------------------------+-------------+
| Config option | Oniro state |
| Config option | Oniro state |
+=====================================+=============+
+=================================+=============+
| ``CONFIG_DEBUG_NOTIFIERS`` | On |
| CONFIG_DEBUG_NOTIFIERS | On |
| ``CONFIG_DEBUG_LIST`` | On |
| CONFIG_DEBUG_LIST | On |
| ``CONFIG_DEBUG_SG`` | On |
| CONFIG_DEBUG_SG | On |
| ``CONFIG_BUG_ON_DATA_CORRUPTION`` | On |
| CONFIG_BUG_ON_DATA_CORRUPTION | On |
| ``CONFIG_SCHED_STACK_END_CHECK`` | On |
| CONFIG_SCHED_STACK_END_CHECK | On |
+-------------------------------------+-------------+
+---------------------------------+-------------+
```
File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg``.
File: ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg``.

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent