Add the X86_KERNEL_IBT check

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index c6c4349839f4ed4448a5f10e217d7135aedc9003..cdb08288fa0f3ccf2b938cf88fb92462070da61f 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -20,7 +20,7 @@ import re
 import json
 from .__about__ import __version__
 from .checks import add_kconfig_checks, add_cmdline_checks, normalize_cmdline_options
-from .engine import populate_with_data, perform_checks
+from .engine import populate_with_data, perform_checks, override_expected_value
 
 
 def _open(file: str, *args, **kwargs):
@@ -213,7 +213,7 @@ def main():
     parser.add_argument('-p', '--print', choices=supported_archs,
                         help='print security hardening preferences for the selected architecture')
     parser.add_argument('-c', '--config',
-                        help='check the kernel kconfig file against these preferences')
+                        help='check the kernel kconfig file against these preferences (also supports *.gz files)')
     parser.add_argument('-l', '--cmdline',
                         help='check the kernel cmdline file against these preferences')
     parser.add_argument('-m', '--mode', choices=report_modes,
@@ -277,6 +277,11 @@ def main():
             parse_cmdline_file(parsed_cmdline_options, args.cmdline)
             populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline')
 
+        # hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
+        mmap_rnd_bits_max = parsed_kconfig_options.get('CONFIG_ARCH_MMAP_RND_BITS_MAX', None)
+        if mmap_rnd_bits_max:
+            override_expected_value(config_checklist, 'CONFIG_ARCH_MMAP_RND_BITS', mmap_rnd_bits_max)
+
         # now everything is ready, perform the checks
         perform_checks(config_checklist)