X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=1c05b43f37375b77f661f387b888bf17356b2808;hb=74147677be71c808be92666f1764f154d8829df4;hp=98b3d9cf43817811212cbd03d06dbbcac442b1ae;hpb=c1452a28c0e28c72c1b213c66209b6a0f1b97d68;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 98b3d9c..1c05b43 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -364,6 +364,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'AIO', 'is not set')] # l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) # 'cut_attack_surface', 'lockdown' @@ -381,7 +382,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), @@ -505,8 +505,9 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))] l += [AND(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set'), KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'))] - # don't require slab_common.usercopy_fallback=0, - # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16 + # Consequence of the HARDENED_USERCOPY_FALLBACK check by kspp. + # Don't require slab_common.usercopy_fallback=0, + # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16. if arch in ('X86_64', 'ARM64', 'X86_32'): l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'), AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'), @@ -544,13 +545,13 @@ def add_cmdline_checks(l, arch): AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'), CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))] l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'), - CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'), + CmdlineCheck('cut_attack_surface', 'kspp', 'vdso32', '0'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'), CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2 if arch == 'X86_32': l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'), CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'), - CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'), + CmdlineCheck('cut_attack_surface', 'kspp', 'vdso32', '0'), CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'), CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'),