checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '32768', 'kspp', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- checklist.append(OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection'))
+ stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection')
+ checklist.append(stackleak_is_set)
+ checklist.append(AND(OptCheck('STACKLEAK_METRICS', 'is not set', 'my', 'self_protection'), \
+ stackleak_is_set))
+ checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE','is not set', 'my', 'self_protection'), \
+ stackleak_is_set))
checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'my', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy')) # and choose your favourite LSM
if debug_mode or arch == 'ARM':
- checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy'))
- checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))
checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface'))
projects / kconfig-hardened-check.git / blobdiff