X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fengine.py;h=8f3191bd75182caeb390c14f30e78edd1645d9e7;hb=e1dba290cc8f230c10b4f5adc521a70e104eb566;hp=e88781e5cfbf19f9c5ecd274bfa7a7e2d2d8171c;hpb=fa57d8b225d289997d7d019ab32252040efab4d6;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/engine.py b/kconfig_hardened_check/engine.py
index e88781e..8f3191b 100644
--- a/kconfig_hardened_check/engine.py
+++ b/kconfig_hardened_check/engine.py
@@ -1,9 +1,7 @@
 #!/usr/bin/python3
 
 """
-This tool helps me to check Linux kernel options against
-my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
-Let the computers do their job!
+This tool is for checking the security hardening options of the Linux kernel.
 
 Author: Alexander Popov <alex.popov@linux.com>
 
@@ -105,6 +103,12 @@ class CmdlineCheck(OptCheck):
         return 'cmdline'
 
 
+class SysctlCheck(OptCheck):
+    @property
+    def type(self):
+        return 'sysctl'
+
+
 class VersionCheck:
     def __init__(self, ver_expected):
         assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 2), \
@@ -143,7 +147,7 @@ class ComplexOptCheck:
                f'empty {self.__class__.__name__} check'
         assert(len(self.opts) != 1), \
                f'useless {self.__class__.__name__} check: {opts}'
-        assert(isinstance(opts[0], (KconfigCheck, CmdlineCheck))), \
+        assert(isinstance(opts[0], (KconfigCheck, CmdlineCheck, SysctlCheck))), \
                f'invalid {self.__class__.__name__} check: {opts}'
         self.result = None
 
@@ -240,7 +244,7 @@ class AND(ComplexOptCheck):
                 return
 
 
-SIMPLE_OPTION_TYPES = ('kconfig', 'version', 'cmdline')
+SIMPLE_OPTION_TYPES = ('kconfig', 'cmdline', 'sysctl', 'version')
 
 
 def populate_simple_opt_with_data(opt, data, data_type):
@@ -256,7 +260,7 @@ def populate_simple_opt_with_data(opt, data, data_type):
     if data_type != opt.type:
         return
 
-    if data_type in ('kconfig', 'cmdline'):
+    if data_type in ('kconfig', 'cmdline', 'sysctl'):
         opt.state = data.get(opt.name, None)
     else:
         assert(data_type == 'version'), \
@@ -273,8 +277,8 @@ def populate_opt_with_data(opt, data, data_type):
             else:
                 populate_simple_opt_with_data(o, data, data_type)
     else:
-        assert(opt.type in ('kconfig', 'cmdline')), \
-               f'bad type "{opt.type}" for a simple check'
+        assert(opt.type != 'version'), \
+               'a simple check with a single VersionCheck is useless'
         populate_simple_opt_with_data(opt, data, data_type)
 
 
@@ -283,6 +287,14 @@ def populate_with_data(checklist, data, data_type):
         populate_opt_with_data(opt, data, data_type)
 
 
+def override_expected_value(checklist, name, new_val):
+    for opt in checklist:
+        if opt.name == name:
+            assert(opt.type in ('kconfig', 'cmdline', 'sysctl')), \
+                   f'overriding an expected value for "{opt.type}" checks is not supported yet'
+            opt.expected = new_val
+
+
 def perform_checks(checklist):
     for opt in checklist:
         opt.check()