X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=3b9a254941ad35f0c51b308840e11d2d9e38cf35;hb=487ad8477e84a23b0aa3ae504c0bd765e38ab909;hp=6e0d8f6be61e42d6043becc327c49e5f13a386b4;hpb=59f626bbb3d1c0ead50d4ab079a02e351b29ad69;p=kconfig-hardened-check.git diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 6e0d8f6..3b9a254 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -238,14 +238,14 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('GCC_PLUGINS', 'y', 'defconfig', 'self_protection')) checklist.append(OR(OptCheck('REFCOUNT_FULL', 'y', 'defconfig', 'self_protection'), \ VerCheck((5, 5)))) # REFCOUNT_FULL is enabled by default since v5.5 + iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'defconfig', 'self_protection') # is needed for mitigating DMA attacks + checklist.append(iommu_support_is_set) if arch == 'X86_64' or arch == 'X86_32': checklist.append(OptCheck('MICROCODE', 'y', 'defconfig', 'self_protection')) # is needed for mitigating CPU bugs checklist.append(OptCheck('RETPOLINE', 'y', 'defconfig', 'self_protection')) checklist.append(OptCheck('X86_SMAP', 'y', 'defconfig', 'self_protection')) checklist.append(OR(OptCheck('X86_UMIP', 'y', 'defconfig', 'self_protection'), \ OptCheck('X86_INTEL_UMIP', 'y', 'defconfig', 'self_protection'))) - iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'defconfig', 'self_protection') # is needed for mitigating DMA attacks - checklist.append(iommu_support_is_set) checklist.append(OptCheck('SYN_COOKIES', 'y', 'defconfig', 'self_protection')) # another reason? if arch == 'X86_64': checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'defconfig', 'self_protection')) @@ -346,6 +346,8 @@ def construct_checklist(checklist, arch): if arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) + checklist.append(OR(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy'), \ + OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'clipos', 'security_policy')) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'clipos', 'security_policy')) checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy')) @@ -354,7 +356,6 @@ def construct_checklist(checklist, arch): checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ loadpin_is_set)) checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy')) checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface')) checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface')) @@ -420,6 +421,7 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN (permissive) checklist.append(OptCheck('USER_NS', 'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0 checklist.append(OptCheck('X86_MSR', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('X86_CPUID', 'is not set', 'clipos', 'cut_attack_surface')) checklist.append(AND(OptCheck('LDISC_AUTOLOAD', 'is not set', 'clipos', 'cut_attack_surface'), \ VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1