for i, opt in enumerate(self.opts):
opt.check()
if opt.result.startswith('OK'):
- if opt.result == 'OK' and i != 0:
- # Simple OK is not enough for additional checks, add more info:
- self.result = 'OK: {} "{}"'.format(opt.name, opt.expected)
- else:
- self.result = opt.result
+ self.result = opt.result
+ # Add more info for additional checks:
+ if i != 0:
+ if opt.result == 'OK':
+ self.result = 'OK: {} "{}"'.format(opt.name, opt.expected)
+ elif opt.result == 'OK: not found':
+ self.result = 'OK: {} not found'.format(opt.name)
+ elif opt.result == 'OK: is present':
+ self.result = 'OK: {} is present'.format(opt.name)
+ # VersionCheck provides enough info
+ elif not opt.result.startswith('OK: version'):
+ sys.exit('[!] ERROR: unexpected OK description "{}"'.format(opt.result))
return
self.result = self.opts[0].result
elif opt.result == 'FAIL: not present':
self.result = 'FAIL: {} not present'.format(opt.name)
else:
- # This FAIL message is self-explaining.
+ # VersionCheck provides enough info
self.result = opt.result
+ if not opt.result.startswith('FAIL: version'):
+ sys.exit('[!] ERROR: unexpected FAIL description "{}"'.format(opt.result))
return
sys.exit('[!] ERROR: invalid AND check')
l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_MSR', 'is not set')] # refers to LOCKDOWN
l += [modules_not_set]
l += [devmem_not_set]
l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'),
l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0
- l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
opt.state = data.get(opt.name, None)
elif data_type == 'version':
opt.ver = data
+ else:
+ sys.exit('[!] ERROR: unexpected data type "{}"'.format(data_type))
def populate_opt_with_data(opt, data, data_type):