Kernel Self Protection Project (KSPP)

The Kernel Self Protection Project is a community effort to harden the upstream Linux kernel by eliminating classes of vulnerabilities.

Many similar protections have existed in other projects, but have yet to have been upstreamed. Since Moby is a consumer of the Linux kernel and aims to be the most secure distro it can be, it is in our maintainers' best interests to collaborate on upstream Linux security measures.

Roadmap

Near-term:

• We've aligned our kernel_config and sysctl settings with the KSPP recommendations - we should continue to track these
  • Note: we check for these settings in our CI tests (see check_kernel_config.sh)
• @tych0 is working on KSPP patches, which are submitted to the kernel hardening mailing list

Long-term:

• Increase involvement in the project