From 2b6888d31c836c084f9650563bf6af44b0a6120d Mon Sep 17 00:00:00 2001
From: mudcam <v.nieutin@live.fr>
Date: Fri, 8 Dec 2017 22:54:58 +0100
Subject: José's feedback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 security-blueprint/part-4/1-General.md | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

(limited to 'security-blueprint/part-4/1-General.md')

diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md
index 013762f..6f951db 100644
--- a/security-blueprint/part-4/1-General.md
+++ b/security-blueprint/part-4/1-General.md
@@ -1,17 +1,25 @@
 # General configuration
 
-## MAC
+## Mandatory Access Control
 
 Kernel should controls access with labels and policy.
 
 <!-- config -->
 
 Domain               | Object | Recommendations
--------------------- | ------ | --------------------
-Kernel-General-MAC-1 | SMACK  | Must implement a MAC
+-------------------- | ------ | ------------------------------------------
+Kernel-General-MAC-1 | SMACK  | Must implement a Mandatory Access Control.
 
 <!-- endconfig -->
 
+<!-- todo -->
+
+Domain       | Improvement
+------------ | ----------------
+Kernel-MAC-1 | Add MAC config note.
+
+<!-- endtodo -->
+
 --------------------------------------------------------------------------------
 
 ## Disable kexec
@@ -129,9 +137,9 @@ This configuration for is supported in **Linux 3.16 and greater** and thus shoul
 
 <!-- config -->
 
-Domain                   | `Config` name | `Value`
------------------------- | ------------- | -------
-Kernel-General-BPF_JIT-1 | `BPF_JIT`     | `n`
+Domain                   | `Config` name    | `Value`
+------------------------ | ---------------- | -------
+Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
 
 <!-- endconfig -->
 
@@ -139,6 +147,14 @@ Kernel-General-BPF_JIT-1 | `BPF_JIT`     | `n`
 
 ## Enable Enforced Module Signing
 
+The kernel should never allow an unprivileged user the ability to load specific kernel modules,
+since that would provide a facility to unexpectedly extend the available attack surface.
+
+To protect against even privileged users, systems may need to either disable
+module loading entirely, or provide signed modules
+(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
+root load arbitrary kernel code via the module loader interface.
+
 This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions.
 
 <!-- config -->
-- 
cgit