CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y"
+ CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
+ CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed
CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"
-[+] config check is finished: 'OK' - 43 / 'FAIL' - 58
+[+] config check is finished: 'OK' - 43 / 'FAIL' - 60
```
-__Go and fix them all!__
+### Questions and answers
-N.B. If `CONFIG_GCC_PLUGIN*` options are automatically disabled during your kernel compilation,
-then your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu, try to install
-`gcc-7-plugin-dev` package, it should help.
+__Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
+
+__A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
+but the script recommends disabling it to cut the attack surface __of the kernel__.
+
+The rationale:
+
+ - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
+
+ - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
+
+<br />
+
+__Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel compilation?
+
+__A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
+try to install `gcc-7-plugin-dev` package, it should help.
[1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings