From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 16 Jan 2024 20:53:14 +0000 (+0300)
Subject: Improve the check of DEBUG_NOTIFIERS feature (part 2)
X-Git-Tag: v0.6.6~5
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=65ff79dbe2c36347283d71d3fa1959030bf6838f;p=kconfig-hardened-check.git

Improve the check of DEBUG_NOTIFIERS feature (part 2)

CFI_PERMISSIVE should be disabled. Reacting with a kernel warning
is not enough.

Thanks to @thestinger for the idea.

Refers to #99.
---

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index b90fade..3dc1b87 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -131,8 +131,10 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
     l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
     cfi_clang_is_set = KconfigCheck('self_protection', 'kspp', 'CFI_CLANG', 'y')
+    cfi_clang_permissive_not_set = KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set')
     l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'),
-             cfi_clang_is_set)]
+             AND(cfi_clang_is_set,
+                 cfi_clang_permissive_not_set))]
     l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
              vmap_stack_is_set)]
     kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
@@ -199,7 +201,7 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
     if arch in ('X86_64', 'ARM64'):
         l += [cfi_clang_is_set]
-        l += [AND(KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set'),
+        l += [AND(cfi_clang_permissive_not_set,
                   cfi_clang_is_set)]
     if arch in ('X86_64', 'X86_32'):
         l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]