X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=10c3482bf0265b592ff4d43fcedeaee8f23d592a;hb=613f481566b7bf398962d12ac492f2970c5fa51f;hp=780f7b87453e2c8444a38065f66dfd681d970c66;hpb=fd4c2f8a1bb754514c166efbd3a0029f8d97a91c;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 780f7b8..10c3482 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -35,7 +35,6 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')]
     l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')]
     l += [KconfigCheck('self_protection', 'defconfig', 'THREAD_INFO_IN_TASK', 'y')]
-    gcc_plugins_support_is_set = KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')
     iommu_support_is_set = KconfigCheck('self_protection', 'defconfig', 'IOMMU_SUPPORT', 'y')
     l += [iommu_support_is_set] # is needed for mitigating DMA attacks
     l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'),
@@ -139,7 +138,8 @@ def add_kconfig_checks(l, arch):
              VersionCheck((6, 6, 8)))] # DEBUG_CREDENTIALS was dropped in v6.6.8
     l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'),
              AND(cfi_clang_is_set,
-                 cfi_clang_permissive_not_set))]
+                 cfi_clang_permissive_not_set,
+                 cc_is_clang))]
     l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
              vmap_stack_is_set)]
     kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
@@ -159,7 +159,7 @@ def add_kconfig_checks(l, arch):
     l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
               hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
     l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
-              gcc_plugins_support_is_set)]
+              cc_is_gcc)]
     l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
              modules_not_set)]
     l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'),
@@ -197,18 +197,21 @@ def add_kconfig_checks(l, arch):
               ubsan_bounds_is_set)]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
-        l += [AND(stackleak_is_set, gcc_plugins_support_is_set)]
+        l += [AND(stackleak_is_set,
+                  cc_is_gcc)]
         l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_METRICS', 'is not set'),
                   stackleak_is_set,
-                  gcc_plugins_support_is_set)]
+                  cc_is_gcc)]
         l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
                   stackleak_is_set,
-                  gcc_plugins_support_is_set)]
+                  cc_is_gcc)]
         l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
     if arch in ('X86_64', 'ARM64'):
-        l += [cfi_clang_is_set]
+        l += [AND(cfi_clang_is_set,
+                  cc_is_clang)]
         l += [AND(cfi_clang_permissive_not_set,
-                  cfi_clang_is_set)]
+                  cfi_clang_is_set,
+                  cc_is_clang)]
     if arch in ('X86_64', 'X86_32'):
         l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]