X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=493d1775ec36a9fed2716bedab60e0ca95e8be15;hb=6f4d93794d11d7c31dd53e85feff17eb6a1e792e;hp=07b467e3680d05d2930528411a17ab8968cfa20a;hpb=e749495f7f390da99c2881833167e4b3cf4b46ae;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 07b467e..493d177 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -493,11 +493,11 @@ def add_kconfig_checks(l, arch): if arch == 'ARM': l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] - l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'), - KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] + l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') l += [loadpin_is_set] # needs userspace support @@ -629,8 +629,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')] if arch == 'ARM': l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')] - if arch == 'ARM64': - l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_MTE', 'y')] if arch in ('ARM', 'X86_32'): l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] if arch in ('X86_64', 'ARM64'):