l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'clipos', 'AIO', 'is not set')]
# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
- l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
l += [AND(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set'),
KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'))]
- # don't require slab_common.usercopy_fallback=0,
- # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16
+ # Consequence of the HARDENED_USERCOPY_FALLBACK check by kspp.
+ # Don't require slab_common.usercopy_fallback=0,
+ # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16.
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
- l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
- CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vdso32', '0'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2
if arch == 'X86_32':
- l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
- CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'),
- CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vdso32', '0'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'),
CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2
projects / kconfig-hardened-check.git / blobdiff