Withdraw my recommendation about BPF_JIT

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 5db3879e4f51d503972fe9d9e487963625fcaed1..fe69e1e8d0bbaa69b00741bd63de90f80ee0e8b5 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -41,6 +41,7 @@
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
 #    user.max_user_namespaces=0
+#    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
 #
@@ -54,6 +55,11 @@
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
 
+
+# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
+# pylint: disable=line-too-long,invalid-name,too-many-branches,too-many-statements
+
+
 import sys
 from argparse import ArgumentParser
 from collections import OrderedDict
@@ -61,9 +67,6 @@ import re
 import json
 from .__about__ import __version__
 
-# pylint: disable=line-too-long,bad-whitespace,too-many-branches
-# pylint: disable=too-many-statements,global-statement
-
 
 class OptCheck:
     def __init__(self, reason, decision, name, expected):
@@ -89,7 +92,7 @@ class OptCheck:
             return True
         return False
 
-    def table_print(self, mode, with_results):
+    def table_print(self, _mode, with_results):
         print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
         if with_results:
             print('|   {}'.format(self.result), end='')
@@ -98,7 +101,7 @@ class OptCheck:
 class VerCheck:
     def __init__(self, ver_expected):
         self.ver_expected = ver_expected
-        self.ver = None
+        self.ver = ()
         self.result = None
 
     def check(self):
@@ -114,7 +117,7 @@ class VerCheck:
         self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
         return False
 
-    def table_print(self, mode, with_results):
+    def table_print(self, _mode, with_results):
         ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
         print('{:<91}'.format(ver_req), end='')
         if with_results:
@@ -134,7 +137,7 @@ class PresenceCheck:
         self.result = 'OK: is present'
         return True
 
-    def table_print(self, mode, with_results):
+    def table_print(self, _mode, with_results):
         print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
         if with_results:
             print('|   {}'.format(self.result), end='')
@@ -448,7 +451,7 @@ def construct_checklist(l, arch):
     l += [OptCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN
     l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN
-    l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION','is not set')]
+    l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')]
     l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'),
               OptCheck('cut_attack_surface', 'my', 'PTDUMP_DEBUGFS', 'is not set'))]
 
@@ -490,7 +493,6 @@ def construct_checklist(l, arch):
     l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
-    l += [OptCheck('cut_attack_surface', 'my', 'BPF_JIT', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger