X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=e172e96796b90a2cdbbd27f1efcf190a86b21d07;hb=1d054d2c10d4969c205e583b239452bd7d3a42e5;hp=50dea2bf27b1c2faf693287978c94bded93c4832;hpb=7235769c9c0c94cfb6fb864c714b3ccaa6872b9b;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 50dea2b..e172e96 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -181,9 +181,9 @@ def add_kconfig_checks(l, arch): KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'), KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'), KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps + l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'), + ubsan_bounds_is_set)] if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'), - ubsan_bounds_is_set)] # ARCH_HAS_UBSAN_SANITIZE_ALL is not enabled for ARM stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [AND(stackleak_is_set, gcc_plugins_support_is_set)] l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_METRICS', 'is not set'), @@ -552,7 +552,7 @@ def add_cmdline_checks(l, arch): l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vdso32', '0'), CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'), CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'), - CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'), CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'), CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2