- checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # breaks systemd?
- checklist.append(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'))
- checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'))
-
- checklist.append(OptCheck('SECURITY', 'y', 'ubuntu18', 'security_policy'))
- checklist.append(OptCheck('SECURITY_YAMA', 'y', 'ubuntu18', 'security_policy'))
- checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'ubuntu18', 'security_policy'))
-
- checklist.append(OptCheck('SECCOMP', 'y', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'ubuntu18', 'cut_attack_surface'), devmem_not_set))
- checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('DEVKMEM', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('X86_PTDUMP', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('ZSMALLOC_STAT', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('PAGE_OWNER', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('DEBUG_KMEMLEAK', 'is not set', 'ubuntu18', 'cut_attack_surface'))
- checklist.append(OptCheck('BINFMT_AOUT', 'is not set', 'ubuntu18', 'cut_attack_surface'))
-
- checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), devmem_not_set))
- checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none'
+ checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # needs userspace support (systemd)
+ checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection')) # needs userspace support
+ checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd)
+ checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge
+ checklist.append(AND(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'), \
+ page_poisoning_is_set))
+ checklist.append(AND(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'), \
+ page_poisoning_is_set))
+ if debug_mode or arch == 'X86_32':
+ checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'my', 'self_protection'))
+
+ if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
+ checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy'))
+ if debug_mode or arch == 'ARM':
+ checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy'))
+ checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy'))
+ checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))
+
+ checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface'))
+ checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface'))
+ if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
+ checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'defconfig', 'cut_attack_surface'), \
+ devmem_not_set)) # refers to LOCK_DOWN_KERNEL
+
+ checklist.append(modules_not_set)
+ checklist.append(devmem_not_set)
+ checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \
+ devmem_not_set)) # refers to LOCK_DOWN_KERNEL
+ if debug_mode or arch == 'ARM':
+ checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \
+ devmem_not_set)) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'kspp', 'cut_attack_surface'))
+ checklist.append(OptCheck('DEVKMEM', 'is not set', 'kspp', 'cut_attack_surface'))
+ checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'kspp', 'cut_attack_surface'))