From df4bdd6e9e5669451e7f60ecdc5c9e0d25e3f726 Mon Sep 17 00:00:00 2001
From: Sebastien Douheret <sebastien.douheret@iot.bzh>
Date: Fri, 8 Dec 2017 17:40:04 +0100
Subject: Added templating for section-xxx tags.

Security Blueprint doc uses specific tags to display arrays
(see docs/security-blueprint/README.md)

Signed-off-by: Sebastien Douheret <sebastien.douheret@iot.bzh>
---
 security-blueprint/part-4/2-Memory.md | 36 +++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

(limited to 'security-blueprint/part-4/2-Memory.md')

diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md
index 07ddbc9..9cc9c16 100644
--- a/security-blueprint/part-4/2-Memory.md
+++ b/security-blueprint/part-4/2-Memory.md
@@ -6,13 +6,13 @@ The /dev/kmem file in Linux systems is directly mapped to kernel virtual memory.
 
 To disable the /dev/kmem file, which is very infrequently used by applications, the following kernel option should be set in the compile-time kernel configuration:
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                         | `Config` name    | `Value`
 ------------------------------ | ---------------- | -------
 Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 In case applications in userspace need /dev/kmem support, it should be available only for authenticated applications.
 
@@ -22,13 +22,13 @@ In case applications in userspace need /dev/kmem support, it should be available
 
 This kernel configuration disables access to a kernel core dump from user space. If enabled, it gives attackers a useful view into kernel memory.
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                   | `Config` name       | `Value`
 ------------------------ | ------------------- | -------
 Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 --------------------------------------------------------------------------------
 
@@ -36,13 +36,13 @@ Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n`
 
 If not disabled, attackers can enable swap at runtime, add pressure to the memory subsystem and then scour the pages written to swap for useful information.
 
-<!-- config -->
+<!-- section-config -->
 
 Domain               | `Config` name | `Value`
 -------------------- | ------------- | -------
 Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 --------------------------------------------------------------------------------
 
@@ -54,14 +54,14 @@ There is a /proc/kallsyms file which exposes the kernel memory space address of
 
 Both `KALLSYMS_ALL` and `KALLSYMS` shall be disabled;
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                         | `Config` name         | `Value`
 ------------------------------ | --------------------- | -------
 Kernel-Memory-LoadAllSymbols-1 | `CONFIG_KALLSYMS`     | `n`
 Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 --------------------------------------------------------------------------------
 
@@ -73,13 +73,13 @@ This configuration is supported in **Linux 3.11 and greater** and thus should on
 
 This configuration also requires building the kernel with the **gcc compiler 4.2 or greater**.
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                | `Config` name              | `Value`
 --------------------- | -------------------------- | -------
 Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 --------------------------------------------------------------------------------
 
@@ -89,13 +89,13 @@ The /dev/mem file in Linux systems is directly mapped to physical memory. This c
 
 This configuration is supported in **Linux 4.0 and greater** and thus should only be disabled for such versions.
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                 | `Config` name   | `Value`
 ---------------------- | --------------- | -------
 Kernel-Memory-Access-1 | `CONFIG_DEVMEM` | `n`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 --------------------------------------------------------------------------------
 
@@ -107,25 +107,25 @@ Disable the process_vm_*v syscalls which allow one process to peek/poke the virt
 
 This configuration is supported in **Linux 3.5 and greater** and thus should only be disabled for such versions.
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                         | `Config` name         | `Value`
 ------------------------------ | --------------------- | -------
 Kernel-Memory-CrossMemAttach-1 | `CROSS_MEMORY_ATTACH` | `n`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 --------------------------------------------------------------------------------
 
 ## Stack Smashing Attacks
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                        | `compiler` and `linker` options | _State_
 ----------------------------- | ------------------------------- | --------
 Kernel-Memory-StackSmashing-1 | `-fstack-protector-all`         | _Enable_
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 Emit extra code to check for buffer overflows, such as stack smashing attacks.
 
@@ -133,12 +133,12 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks.
 
 ## Detect Buffer Overflows
 
-<!-- config -->
+<!-- section-config -->
 
 Domain                          | `compiler` and `linker` options | `Value`
 ------------------------------- | ------------------------------- | -------
 Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE`             | `2`
 
-<!-- endconfig -->
+<!-- end-section-config -->
 
 Helps detect some buffer overflow errors.
-- 
cgit