Add the comment about kernel.randomize_va_space

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 27cbd21b67dfc88cddfd1a36fa853f344ac30db2..8daa93461f5a39d93f94261b5156a2e54df3c72c 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -58,11 +58,9 @@
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
-#
 #    vm.unprivileged_userfaultfd=0
 #        (at first, it disabled unprivileged userfaultfd,
 #         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
-#
 #    dev.tty.ldisc_autoload=0
 #    fs.protected_symlinks=1
 #    fs.protected_hardlinks=1
@@ -70,6 +68,7 @@
 #    fs.protected_regular=2
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
+#    kernel.randomize_va_space = 2
 
 
 # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
@@ -631,6 +630,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
     l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
+    l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
 
     # 'harden_userspace'
     if arch in ('X86_64', 'ARM64', 'X86_32'):