Add DRM_LEGACY, FB, and VT checks

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index f56ee3775f2c44beb4a9d03c33a5bb58c46061be..ea5a4c9de40e03d66b56cf414840a840c942bc86 100755 (executable)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -102,7 +102,6 @@ class OptCheck:
         print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
         if with_results:
             print('|   {}'.format(self.result), end='')
-        print()
 
 
 class VerCheck:
@@ -129,7 +128,26 @@ class VerCheck:
         print('{:<91}'.format(ver_req), end='')
         if with_results:
             print('|   {}'.format(self.result), end='')
-        print()
+
+
+class PresenceCheck:
+    def __init__(self, name):
+        self.name = name
+        self.state = None
+        self.result = None
+
+    def check(self):
+        if self.state is None:
+            self.result = 'FAIL: not present'
+            return False, self.result
+        else:
+            self.result = 'OK: is present'
+            return True, self.result
+
+    def table_print(self, with_results):
+        print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
+        if with_results:
+            print('|   {}'.format(self.result), end='')
 
 
 class ComplexOptCheck:
@@ -162,12 +180,14 @@ class ComplexOptCheck:
             print('    {:87}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='')
             if with_results:
                 print('|   {}'.format(self.result), end='')
-            print()
             for o in self.opts:
+                print()
                 o.table_print(with_results)
         else:
             o = self.opts[0]
-            o.table_print(with_results)
+            o.table_print(False)
+            if with_results:
+                print('|   {}'.format(self.result), end='')
 
 
 class OR(ComplexOptCheck):
@@ -439,6 +459,10 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('DEBUG_FS',                'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface'))
 
+    checklist.append(OptCheck('DRM_LEGACY',     'is not set', 'maintainer', 'cut_attack_surface'))
+    checklist.append(OptCheck('FB',             'is not set', 'maintainer', 'cut_attack_surface'))
+    checklist.append(OptCheck('VT',             'is not set', 'maintainer', 'cut_attack_surface'))
+
     checklist.append(OptCheck('ACPI_TABLE_UPGRADE',   'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('X86_IOPL_IOPERM',      'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('EFI_TEST',             'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
@@ -458,7 +482,7 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('X86_MSR',                  'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('X86_CPUID',                'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(AND(OptCheck('LDISC_AUTOLOAD',           'is not set', 'clipos', 'cut_attack_surface'), \
-                         VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1
+                         PresenceCheck('LDISC_AUTOLOAD')))
 
     checklist.append(OptCheck('AIO',                  'is not set', 'grapheneos', 'cut_attack_surface'))
 
@@ -508,6 +532,7 @@ def print_checklist(checklist, with_results):
     # table contents
     for opt in checklist:
         opt.table_print(with_results)
+        print()
         if debug_mode:
             print('-' * sep_line_len)
     print()