#
# Should NOT be set:
# nokaslr
+# rodata=off
+# sysrq_always_enabled
# arm64.nobti
# arm64.nopauth
# arm64.nomte
if with_results:
print('| {}'.format(self.result), end='')
+ def json_dump(self, with_results):
+ dump = [self.name, self.type, self.expected, self.decision, self.reason]
+ if with_results:
+ dump.append(self.result)
+ return dump
+
class KconfigCheck(OptCheck):
def __init__(self, *args, **kwargs):
def type(self):
return 'kconfig'
- def json_dump(self, with_results):
- dump = [self.name, self.type, self.expected, self.decision, self.reason]
- if with_results:
- dump.append(self.result)
- return dump
+
+class CmdlineCheck(OptCheck):
+ @property
+ def type(self):
+ return 'cmdline'
class VersionCheck:
sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__))
if len(self.opts) == 1:
sys.exit('[!] ERROR: useless {} check'.format(self.__class__.__name__))
- if not isinstance(opts[0], KconfigCheck):
+ if not isinstance(opts[0], KconfigCheck) and not isinstance(opts[0], CmdlineCheck):
sys.exit('[!] ERROR: invalid {} check: {}'.format(self.__class__.__name__, opts))
self.result = None
# l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging!
+def add_cmdline_checks(l, arch):
+ # Calling the CmdlineCheck class constructor:
+ # CmdlineCheck(reason, decision, name, expected)
+
+ l += [CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'on')]
+ # TODO: add other
+
+
def print_unknown_options(checklist, parsed_options):
known_options = []
sys.exit('[!] ERROR: wrong mode "{}" for --print'.format(mode))
arch = args.print
add_kconfig_checks(config_checklist, arch)
+ add_cmdline_checks(config_checklist, arch)
if mode != 'json':
print('[+] Printing kernel security hardening preferences for {}...'.format(arch))
print_checklist(mode, config_checklist, False)