Add more info about perf_event_paranoid

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 90a7daf75794ee284474c338b4eb139e1c51857d..83ab1ebfa70b7f1d9713a7c747f5804e4230bcb8 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -13,7 +13,7 @@
 # N.B. Hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
 #    kernel.dmesg_restrict=1 (also see the kconfig option)
-#    kernel.perf_event_paranoid=3
+#    kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
 #    user.max_user_namespaces=0
@@ -668,6 +668,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
     l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]