Separate out checking SECURITY_WRITABLE_HOOKS and SECURITY_SELINUX_DISABLE

Thanks to @izh1979 for the idea.
Combining these checks with OR is not correct.

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 07b467e3680d05d2930528411a17ab8968cfa20a..e3488fd91bdec6c32cde5960b4ef4e11a25536dd 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -493,11 +493,11 @@ def add_kconfig_checks(l, arch):
     if arch == 'ARM':
         l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM
     l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')]
-    l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'),
-             KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))]
+    l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')]
     l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')]
     l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
     l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
+    l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE
     l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')]
     loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y')
     l += [loadpin_is_set] # needs userspace support