I frequently needed a way to check a kernel config and other OS configuration for popular distributions to make a dev/design decision.
My specific use-case: KubeArmor leverages LSMs (Linux Security Modules) and eBPF for in-kernel policy controls. We had to refer to kernel configs for making design/dev decisions regarding whether we can depend on a certain kernel primitive. The boot configs part of this repo helped in making an informed choice.
Use following command to create a Distro/Kernel specific folder with the corresponding markdowns:
curl -s https://raw.githubusercontent.com/nyrahul/linux-kernel-configs/main/lk-config-get.sh | bash -s
if curl is not available, use wget ...
wget -q -O- https://raw.githubusercontent.com/nyrahul/linux-kernel-configs/main/lk-config-get.sh | bash -s
- Copy the folder to your github fork
- Run
make - Raise a PR
| Distro | Arch | Kernel | BPF LSM | AppArmor | SELinux | LandLock | SMACK |
|---|---|---|---|---|---|---|---|
| Amazon Linux 2022 | x86_64 | 5.10.75 | Y | N | Y | N | N |
| Amazon Linux 2 | x86_64 | 4.14.252 | N | N | Y | N | N |
| Amazon Linux 2 | x86_64 | 5.10.75 | Y | N | Y | N | N |
| CentOS Linux 7 (Core) | x86_64 | 3.10.0 | N | N | Y | N | N |
| CentOS Linux 8 | x86_64 | 4.18.0 | N | N | Y | N | N |
| Container-Optimized OS from Google | x86_64 | 5.4.144 | N | Y | N | N | N |
| Debian GNU/Linux 10 (buster) | x86 | 4.19.181 | N | Y | Y | N | N |
| Fedora CoreOS 35.20211203.3.0 | x86_64 | 5.15.6 | Y | N | Y | Y | N |
| Flatcar Container Linux by Kinvolk 3033.2.0 (Oklo) | x86 | 5.10.84 | Y | N | Y | N | N |
| k3OS v0.21.5-k3s2r1 | x86 | 5.4.0 | N | Y | Y | N | Y |
| Pop!_OS 21.04 | x86 | 5.11.0 | Y | Y | Y | N | Y |
| Pop!_OS 21.10 | x86 | 5.15.5 | Y | Y | Y | Y | Y |
| RancherOS v1.5.8 | x86 | 4.14.138 | N | Y | Y | N | Y |
| Raspbian GNU/Linux 10 (buster) | arm | 5.10.17 | N | Y | N | N | N |
| Red Hat Enterprise Linux 8.4 (Ootpa) | x86_64 | 4.18.0 | N | N | Y | N | N |
| SUSE Linux Enterprise Server 12 SP5 | x86_64 | 4.12.14 | N | Y | Y | N | N |
| SUSE Linux Enterprise Server 15 SP3 | x86 | 5.3.18 | Y | Y | Y | N | N |
| Ubuntu 18.04.6 LTS | x86 | 4.15.0 | N | Y | Y | N | Y |
| Ubuntu 18.04.6 LTS | x86_64 | 5.4.0 | N | Y | Y | N | Y |
| Ubuntu 20.04.3 LTS | x86_64 | 5.11.0 | N | Y | Y | N | Y |
| Ubuntu 20.04.3 LTS | x86 | 5.11.0 | N | Y | Y | N | Y |
| VMware Photon OS/Linux | x86_64 | 5.10.61 | N | Y | Y | N | Y |
Few LSMs are not stackable. For example, AppArmor and SELinux are not stackable. If you find that support for both SELinux and AppArmor are available, then only one can be enabled at boot time.
BPF LSM is the new kid on the block. BPF LSM depends on bpf-helpers and they vary from kernel to kernel.
| Distro | Arch | Kernel | Seccomp | Seccomp Filter |
|---|---|---|---|---|
| Amazon Linux 2022 | x86_64 | 5.10.75 | Y | Y |
| Amazon Linux 2 | x86_64 | 4.14.252 | Y | Y |
| Amazon Linux 2 | x86_64 | 5.10.75 | Y | Y |
| CentOS Linux 7 (Core) | x86_64 | 3.10.0 | Y | Y |
| CentOS Linux 8 | x86_64 | 4.18.0 | Y | Y |
| Container-Optimized OS from Google | x86_64 | 5.4.144 | Y | Y |
| Debian GNU/Linux 10 (buster) | x86 | 4.19.181 | Y | Y |
| Fedora CoreOS 35.20211203.3.0 | x86_64 | 5.15.6 | Y | Y |
| Flatcar Container Linux by Kinvolk 3033.2.0 (Oklo) | x86 | 5.10.84 | Y | Y |
| k3OS v0.21.5-k3s2r1 | x86 | 5.4.0 | Y | Y |
| Pop!_OS 21.04 | x86 | 5.11.0 | Y | Y |
| Pop!_OS 21.10 | x86 | 5.15.5 | Y | Y |
| RancherOS v1.5.8 | x86 | 4.14.138 | Y | Y |
| Raspbian GNU/Linux 10 (buster) | arm | 5.10.17 | Y | Y |
| Red Hat Enterprise Linux 8.4 (Ootpa) | x86_64 | 4.18.0 | Y | Y |
| SUSE Linux Enterprise Server 12 SP5 | x86_64 | 4.12.14 | Y | Y |
| SUSE Linux Enterprise Server 15 SP3 | x86 | 5.3.18 | Y | Y |
| Ubuntu 18.04.6 LTS | x86 | 4.15.0 | Y | Y |
| Ubuntu 18.04.6 LTS | x86_64 | 5.4.0 | Y | Y |
| Ubuntu 20.04.3 LTS | x86_64 | 5.11.0 | Y | Y |
| Ubuntu 20.04.3 LTS | x86 | 5.11.0 | Y | Y |
| VMware Photon OS/Linux | x86_64 | 5.10.61 | Y | Y |