l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'clipos', 'AIO', 'is not set')]
# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
- l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
- CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ CmdlineCheck('cut_attack_surface', 'kspp', 'vdso32', '0'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2
if arch == 'X86_32':
l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'),
- CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ CmdlineCheck('cut_attack_surface', 'kspp', 'vdso32', '0'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'),