docs/linux: update recommended configs

Mention few more tricky kernel configs that cause problems.
author: Dmitry Vyukov <dvyukov@google.com> 2018-11-23 13:44:03 +0100
committer: GitHub <noreply@github.com> 2018-11-23 13:44:03 +0100
commit: 8eb18c0bbcc63fd1fed11acb265edd5d0de79964 (patch)
tree: 70adf4e617092ebad4e8609e1329a4847c09d52c
parent: 0ab8db64670f0b91c6cc695d1159bd96409e2839 (diff)
1 files changed, 16 insertions, 2 deletions
diff --git a/docs/linux/kernel_configs.md b/docs/linux/kernel_configs.md
index 2d5a9cf04..d5291fa03 100644
--- a/docs/linux/kernel_configs.md
+++ b/docs/linux/kernel_configs.md
@@ -28,14 +28,28 @@ CONFIG_KALLSYMS=y
 CONFIG_KALLSYMS_ALL=y
 ```
 
-For `namespace` sandbox:
+For better sandboxing:
 ```
 CONFIG_NAMESPACES=y
-CONFIG_USER_NS=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_MEMCG=y
+```
+
+For `namespace` sandbox:
+```
+CONFIG_USER_NS=y
+```
+
+For running in VMs `make kvmconfig` is generally required.
+
+Debian images produced by [tools/create-image.sh](/tools/create-image.sh) also require:
+```
+CONFIG_CONFIGFS_FS=y
+CONFIG_SECURITYFS=y
 ```
 
 It is recommended to disable the following config (and required if your kernel doesn't have commits [arm64: setup: introduce kaslr_offset()](https://github.com/torvalds/linux/commit/7ede8665f27cde7da69e8b2fbeaa1ed0664879c5)
author	Dmitry Vyukov <dvyukov@google.com>	2018-11-23 13:44:03 +0100
committer	GitHub <noreply@github.com>	2018-11-23 13:44:03 +0100
commit	8eb18c0bbcc63fd1fed11acb265edd5d0de79964 (patch)
tree	70adf4e617092ebad4e8609e1329a4847c09d52c
parent	0ab8db64670f0b91c6cc695d1159bd96409e2839 (diff)