+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'),
+ AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'),
+ have_kconfig))]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'),
+ AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'),
+ have_kconfig))]