X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=5ec19cc5b7b7ad4a77a370d9c3671d579750eabd;hb=cbe604f9365e3531feb1fd6c2c369a5f3a8d8249;hp=10c3482bf0265b592ff4d43fcedeaee8f23d592a;hpb=613f481566b7bf398962d12ac492f2970c5fa51f;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 10c3482..5ec19cc 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -407,6 +407,8 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
     l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')]
     l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
+    if arch == 'X86_64':
+        l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')]
 
 
 def add_cmdline_checks(l, arch):
@@ -649,7 +651,7 @@ def add_sysctl_checks(l, _arch):
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]
-    l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]