I think this topic is important enough it deserves it’s ow thread.
A bit of background info:
- Yves-Alexis Perez is one of Debian’s major sec engineers.
- ANSSI is the French COMSEC department so not a spook outfit.
- CLIP OS is their hardened distro work where it may be beneficial to use or cherry pick as much stuff as possible.
They make use of this most active hardened linux fork: GitHub - anthraxx/linux-hardened: Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
They are working on upstreaming of patchsets like stackleak and lockdown and are using LSMs like Landlock. Until then the work is integrated into their fork of the kernel among other enhancements not mentioned here.