Add SECURITY_LOADPIN check

[kconfig-hardened-check.git] / kconfig-hardened-check.py

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 2c14fd0d206f09576122459454b0b54383220d7a..e509174115c128b2fd7b9c976cad9467a09fcfff 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -8,14 +8,18 @@
 #
 # Please don't cry if my Python code looks like C.
 #
-
+#
 # N.B Hardening command line parameters:
 #    page_poison=1
-#    slub_debug=P
+#    slub_debug=FZP
 #    slab_nomerge
 #    pti=on
 #    kernel.kptr_restrict=1
 #    lockdown=1
+#
+# N.B. Hardening sysctl's:
+#    net.core.bpf_jit_harden
+#
 
 import sys
 from argparse import ArgumentParser
@@ -151,8 +155,10 @@ def construct_checklist():
     checklist.append(OptCheck('SLUB_DEBUG_ON',                    'y', 'my', 'self_protection'))
     checklist.append(OptCheck('SECURITY_DMESG_RESTRICT',          'y', 'my', 'self_protection'))
     checklist.append(OptCheck('STATIC_USERMODEHELPER',            'y', 'my', 'self_protection')) # breaks systemd?
+    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection'))
     checklist.append(OptCheck('PAGE_POISONING_NO_SANITY',         'is not set', 'my', 'self_protection'))
     checklist.append(OptCheck('PAGE_POISONING_ZERO',              'is not set', 'my', 'self_protection'))
+    checklist.append(OptCheck('SLAB_MERGE_DEFAULT',               'is not set', 'my', 'self_protection')) # slab_nomerge
 
     checklist.append(OptCheck('SECURITY',                    'y', 'ubuntu18', 'security_policy'))
     checklist.append(OptCheck('SECURITY_YAMA',               'y', 'ubuntu18', 'security_policy'))