X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=f66f61adc48749845f79dbfae7bce0468118be40;hb=885eca86950992cdc34ef6067999fdc5b1467265;hp=ac2644fefd4caff44298958b669033a045a7ded6;hpb=ff20d4b5a2e2668951d3fb7343a833b48202cff2;p=kconfig-hardened-check.git

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index ac2644f..f66f61a 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -45,10 +45,53 @@ class OptCheck:
         else:
             self.result = 'FAIL: "' + self.state + '"'
 
+        if self.result.startswith('OK'):
+            return True, self.result
+        else:
+            return False, self.result
+
     def __repr__(self):
         return '{} = {}'.format(self.name, self.state)
 
 
+class OR:
+    def __init__(self, *opts):
+        self.opts = opts
+        self.result = None
+
+    # self.opts[0] is the option which this OR-check is about.
+    # Use case: OR(<X_is_hardened>, <X_is_disabled>)
+
+    @property
+    def name(self):
+        return self.opts[0].name
+
+    @property
+    def expected(self):
+        return self.opts[0].expected
+
+    @property
+    def state(self):
+        return self.opts[0].state
+
+    @property
+    def decision(self):
+        return self.opts[0].decision
+
+    @property
+    def reason(self):
+        return self.opts[0].reason
+
+    def check(self):
+        for opt in self.opts:
+            result, msg = opt.check()
+            if result:
+                self.result = 'OK (CONFIG_{} {})'.format(opt.name, opt.state)
+                return result, self.result
+        self.result = 'FAIL: "{}"'.format(self.opts[0].state)
+        return False, self.result
+
+
 def construct_opt_checks():
     checklist.append(OptCheck('BUG',                     'y', 'ubuntu18', 'self_protection'))
     checklist.append(OptCheck('PAGE_TABLE_ISOLATION',    'y', 'ubuntu18', 'self_protection'))
@@ -112,6 +155,7 @@ def construct_opt_checks():
     checklist.append(OptCheck('ZSMALLOC_STAT',        'is not set', 'ubuntu18', 'cut_attack_surface'))
     checklist.append(OptCheck('PAGE_OWNER',           'is not set', 'ubuntu18', 'cut_attack_surface'))
     checklist.append(OptCheck('DEBUG_KMEMLEAK',       'is not set', 'ubuntu18', 'cut_attack_surface'))
+    checklist.append(OptCheck('BINFMT_AOUT',          'is not set', 'ubuntu18', 'cut_attack_surface'))
 
     checklist.append(OptCheck('IO_STRICT_DEVMEM',     'y', 'kspp', 'cut_attack_surface'))
     checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none'
@@ -177,7 +221,11 @@ def get_option_state(options, name):
 
 def perform_checks(parsed_options):
     for opt in checklist:
-        opt.state = get_option_state(parsed_options, opt.name)
+        if hasattr(opt, 'opts'):
+            for o in opt.opts:
+                o.state = get_option_state(parsed_options, o.name)
+        else:
+            opt.state = get_option_state(parsed_options, opt.name)
         opt.check()