There is often a need to check a kernel config and other OS configuration to make a dev/design decision. The question often pops-up, does the popular distributions support the kernel config that the implementation expects? This is an attempt to answer that.
My specific use-case: KubeArmor leverages LSMs (Linux Security Modules) and eBPF for in-kernel policy controls. We had to refer to kernel configs for making design/dev decisions regarding whether we can depend on a certain kernel primitive. The boot configs part of this repo helped in making an informed choice.
This table lists kernel audit support. There is a userspace auditd daemon that is a separate accessory tooling leveraging kernel audit support. This table has nothing to do with userspace components.
Distro | Arch | Kernel | CONFIG_BPF | CGROUP_BPF | BPF_SYSCALL | BPF_JIT | BPF_LSM | BPF_KPROBE_OVERRIDE | BPFILTER | NET_ACT_BPF | NET_CLS_BPF | BPF_EVENTS | LWTUNNEL_BPF | BPF_STREAM_PARSER | NETFILTER_XT_MATCH_BPF | IPV6_SEG6_BPF |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Amazon Linux 2022 | x86_64 | 5.10.75 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Amazon Linux 2023 | x86_64 | 6.1.19 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Amazon Linux 2 | x86_64 | 4.14.252 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Amazon Linux 2 | x86_64 | 5.10.75 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Amazon Linux 2 | x86_64 | 5.15.86 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Amazon Linux 2 | x86_64 | 5.4.226 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Arch Linux | x86 | 6.2.1 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
CentOS Linux 7 (Core) | x86_64 | 3.10.0 | ✔️ | ❌ | ✔️ | ✔️ | ❌ | ✔️ | ❌ | ❌ | ✔️ | ✔️ | ❌ | ❌ | ✔️ | ❌ |
CentOS Linux 8 | x86_64 | 4.18.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
CentOS Linux 8 | x86_64 | 4.18.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Container-Optimized OS from Google | x86_64 | 5.10.90 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Container-Optimized OS from Google | x86_64 | 5.4.144 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Debian GNU/Linux 10 (buster) | x86 | 4.19.181 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Fedora CoreOS 35.20211203.3.0 | x86_64 | 5.15.6 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Flatcar Container Linux by Kinvolk 3033.2.0 (Oklo) | x86 | 5.10.84 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ❌ |
k3OS v0.21.5-k3s2r1 | x86 | 5.4.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Oracle Linux Server 8.6 | x86_64 | 4.18.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Oracle Linux Server 8.7 | x86_64 | 5.15.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Oracle Linux Server 8.8 | x86_64 | 5.15.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Pop!_OS 21.04 | x86 | 5.11.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Pop!_OS 21.10 | x86 | 5.15.5 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
RancherOS v1.5.8 | x86 | 4.14.138 | ✔️ | ❌ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ❌ |
Raspbian GNU/Linux 10 (buster) | arm | 5.10.17 | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ❌ | ✔️ | ❌ |
Red Hat Enterprise Linux 8.1 (Ootpa) | x86_64 | 4.18.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Red Hat Enterprise Linux 8.4 (Ootpa) | x86_64 | 4.18.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Red Hat Enterprise Linux 8.5 (Ootpa) | x86_64 | 4.18.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Red Hat Enterprise Linux 9.2 (Plow) | x86_64 | 5.14.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Red Hat Enterprise Linux Server 7.9 (Maipo) | x86_64 | 3.10.0 | ✔️ | ❌ | ✔️ | ✔️ | ❌ | ✔️ | ❌ | ❌ | ✔️ | ✔️ | ❌ | ❌ | ✔️ | ❌ |
Rocky Linux 8.7 (Green Obsidian) | x86_64 | 4.18.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Rocky Linux 9.0 (Blue Onyx) | x86_64 | 5.14.0 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
SUSE Linux Enterprise Server 12 SP5 | x86_64 | 4.12.14 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
SUSE Linux Enterprise Server 15 SP3 | x86 | 5.3.18 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Ubuntu 16.04.7 LTS | x86 | 4.15.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Ubuntu 18.04.6 LTS | x86 | 4.15.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
Ubuntu 18.04.6 LTS | x86_64 | 5.4.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Ubuntu 20.04.3 LTS | x86_64 | 5.11.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Ubuntu 20.04.3 LTS | x86 | 5.11.0 | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
VMware Photon OS/Linux | x86_64 | 5.10.61 | ✔️ | ❌ | ✔️ | ✔️ | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | ❌ | ❌ | ✔️ | ❌ |
CGROUP_BPF: Support for eBPF programs attached to cgroups. Allow attaching eBPF programs to a cgroup using the bpf(2) syscall command BPF_PROG_ATTACH.
Distro | Arch | Kernel | BPF LSM | AppArmor | SELinux | LandLock | SMACK |
---|---|---|---|---|---|---|---|
Amazon Linux 2022 | x86_64 | 5.10.75 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Amazon Linux 2023 | x86_64 | 6.1.19 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Amazon Linux 2 | x86_64 | 4.14.252 | ❌ | ❌ | ✔️ | ❌ | ❌ |
Amazon Linux 2 | x86_64 | 5.10.75 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Amazon Linux 2 | x86_64 | 5.15.86 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Amazon Linux 2 | x86_64 | 5.4.226 | ❌ | ❌ | ✔️ | ❌ | ❌ |
Arch Linux | x86 | 6.2.1 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
CentOS Linux 7 (Core) | x86_64 | 3.10.0 | ❌ | ❌ | ✔️ | ❌ | ❌ |
CentOS Linux 8 | x86_64 | 4.18.0 | ❌ | ❌ | ✔️ | ❌ | ❌ |
CentOS Linux 8 | x86_64 | 4.18.0 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Container-Optimized OS from Google | x86_64 | 5.10.90 | ✔️ | ✔️ | ❌ | ❌ | ❌ |
Container-Optimized OS from Google | x86_64 | 5.4.144 | ❌ | ✔️ | ❌ | ❌ | ❌ |
Debian GNU/Linux 10 (buster) | x86 | 4.19.181 | ❌ | ✔️ | ✔️ | ❌ | ❌ |
Fedora CoreOS 35.20211203.3.0 | x86_64 | 5.15.6 | ✔️ | ❌ | ✔️ | ✔️ | ❌ |
Flatcar Container Linux by Kinvolk 3033.2.0 (Oklo) | x86 | 5.10.84 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
k3OS v0.21.5-k3s2r1 | x86 | 5.4.0 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
Oracle Linux Server 8.6 | x86_64 | 4.18.0 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Oracle Linux Server 8.7 | x86_64 | 5.15.0 | ✔️ | ❌ | ✔️ | ✔️ | ❌ |
Oracle Linux Server 8.8 | x86_64 | 5.15.0 | ✔️ | ❌ | ✔️ | ✔️ | ❌ |
Pop!_OS 21.04 | x86 | 5.11.0 | ✔️ | ✔️ | ✔️ | ❌ | ✔️ |
Pop!_OS 21.10 | x86 | 5.15.5 | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
RancherOS v1.5.8 | x86 | 4.14.138 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
Raspbian GNU/Linux 10 (buster) | arm | 5.10.17 | ❌ | ✔️ | ❌ | ❌ | ❌ |
Red Hat Enterprise Linux 8.1 (Ootpa) | x86_64 | 4.18.0 | ❌ | ❌ | ✔️ | ❌ | ❌ |
Red Hat Enterprise Linux 8.4 (Ootpa) | x86_64 | 4.18.0 | ❌ | ❌ | ✔️ | ❌ | ❌ |
Red Hat Enterprise Linux 8.5 (Ootpa) | x86_64 | 4.18.0 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Red Hat Enterprise Linux 9.2 (Plow) | x86_64 | 5.14.0 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Red Hat Enterprise Linux Server 7.9 (Maipo) | x86_64 | 3.10.0 | ❌ | ❌ | ✔️ | ❌ | ❌ |
Rocky Linux 8.7 (Green Obsidian) | x86_64 | 4.18.0 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
Rocky Linux 9.0 (Blue Onyx) | x86_64 | 5.14.0 | ✔️ | ❌ | ✔️ | ❌ | ❌ |
SUSE Linux Enterprise Server 12 SP5 | x86_64 | 4.12.14 | ❌ | ✔️ | ✔️ | ❌ | ❌ |
SUSE Linux Enterprise Server 15 SP3 | x86 | 5.3.18 | ✔️ | ✔️ | ✔️ | ❌ | ❌ |
Ubuntu 16.04.7 LTS | x86 | 4.15.0 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
Ubuntu 18.04.6 LTS | x86 | 4.15.0 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
Ubuntu 18.04.6 LTS | x86_64 | 5.4.0 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
Ubuntu 20.04.3 LTS | x86_64 | 5.11.0 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
Ubuntu 20.04.3 LTS | x86 | 5.11.0 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
VMware Photon OS/Linux | x86_64 | 5.10.61 | ❌ | ✔️ | ✔️ | ❌ | ✔️ |
Few LSMs are not stackable. For example, AppArmor and SELinux are not stackable. If you find that support for both SELinux and AppArmor are available, then only one can be enabled at boot time.
BPF LSM is the new kid on the block. BPF LSM depends on bpf-helpers and they vary from kernel to kernel.
Adding a new distro
Use following command to create a Distro/Kernel specific folder with the corresponding markdowns:
curl -s https://raw.githubusercontent.com/nyrahul/linux-kernel-configs/main/lk-config-get.sh | bash -s
if curl
is not available, use wget
...
wget -q -O- https://raw.githubusercontent.com/nyrahul/linux-kernel-configs/main/lk-config-get.sh | bash -s
- Copy the folder to your github fork
- Run
make
- Raise a PR
Adding a new composition
Composition means a set of kernel configuration options shown in the context of all the distros. "LSM Support", "Seccomp Support" are examples of the compositions.
To create a new composition:
- Create a new composition file. Use tools/compositions/lsm.yaml as ref.
- Do a
make
- Check if the composition is reflected in the README.md
- Raise a PR with the changes