- if arch == 'ARM64':
- l += [OptCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
- if arch in ('ARM64', 'ARM'):
- l += [OptCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
- l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
+
+ # 'self_protection', 'maintainer'
+ ubsan_bounds_is_set = OptCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking
+ l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53
+ l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'),
+ ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53
+ l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'),
+ ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53