This module contains knowledge for checks.
"""
-# pylint: disable=missing-function-docstring,line-too-long,invalid-name
+# pylint: disable=missing-function-docstring,line-too-long
# pylint: disable=too-many-branches,too-many-statements,too-many-locals
-from .engine import StrOrNone, KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
from typing import List
+from .engine import StrOrNone, ChecklistObjType, KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
-def add_kconfig_checks(l: List, arch: str) -> None:
+def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
assert(arch), 'empty arch'
# Calling the KconfigCheck class constructor:
l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')]
# 'self_protection', 'kspp'
+ l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK_ENFORCED', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')]
l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')]
-def add_cmdline_checks(l: List, arch: str) -> None:
+def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None:
assert(arch), 'empty arch'
# Calling the CmdlineCheck class constructor:
return value
-# TODO: draft of security hardening sysctls:
+# Ideas of security hardening sysctls:
# what about bpf_jit_enable?
# vm.mmap_min_addr has a good value
# nosmt sysfs control file
# kernel.warn_limit (think about a proper value)
# net.ipv4.tcp_syncookies=1 (?)
-def add_sysctl_checks(l: List, _arch: StrOrNone) -> None:
+def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None:
# This function may be called with arch=None
# Calling the SysctlCheck class constructor:
projects / kconfig-hardened-check.git / blobdiff