Update direct feedback from Linux kernel maintainers (#62)

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 27cbd21b67dfc88cddfd1a36fa853f344ac30db2..dc65d4d996b38ce051bdb8840792b62d9b0b53f6 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -42,6 +42,7 @@
 #           nokaslr
 #           arm64.nobti
 #           arm64.nopauth
+#           arm64.nomte
 #
 #    Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
 #           kasan=on
@@ -58,11 +59,9 @@
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
-#
 #    vm.unprivileged_userfaultfd=0
 #        (at first, it disabled unprivileged userfaultfd,
 #         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
-#
 #    dev.tty.ldisc_autoload=0
 #    fs.protected_symlinks=1
 #    fs.protected_hardlinks=1
@@ -70,6 +69,7 @@
 #    fs.protected_regular=2
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
+#    kernel.randomize_va_space = 2
 
 
 # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
@@ -631,6 +631,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
     l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
+    l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
 
     # 'harden_userspace'
     if arch in ('X86_64', 'ARM64', 'X86_32'):