Skip unprivileged_userfaultfd if USERFAULTFD unset

[kconfig-hardened-check.git] / kernel_hardening_checker / checks.py

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 9f48d5849f6a675a3d560ec0138a2ad8da44e956..e2cf42e13a579f50289528da06a3ce6a1381ba2e 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -680,8 +680,11 @@ def add_sysctl_checks(l, _arch):
              AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'),
                  have_config_file))]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
-    l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
-    l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+    l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0'),
+             SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', 'is not set'))]
+    l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'),
+             AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'),
+                 have_config_file))]
           # At first, it disabled unprivileged userfaultfd,
           # and since v5.11 it enables unprivileged userfaultfd for user-mode only.