# Security

There are a few things that have to be done to optimize the security of the system.

## Apparmor and LSM

Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:

```
# apk add apparmor apparmor-profiles
# rc-update add apparmor default
```

Add apparmor and other "Linux Security Modules" to the `cmdline` in `/etc/kernel-hooks/secureboothook.conf`:

```
cmdline="... apparmor=1 lsm=landlock,lockdown,yama,integrity,apparmor"
```

Then reconfigure `kernel-hooks` and reboot for it to take effect:

```
# apk fix kernel-hooks
# reboot
```

You can check the status of apparmor using `apparmor-utils`:

```
# apk add apparmor-utils
# aa-status
```

## Cmdline

There are a lot of kernel settings which can be passed to the command line. [Madadans-insecurity's page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel) describes each of their function and how they improve security of the system so lets add them to `/etc/kernel-hooks/secureboot.conf`:

```
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 iommu=force spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush"
```

After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.

## Sysctl

WIP

## Hardened Malloc

WIP