projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
476c099
)
Add the SECURITY_SELINUX_DEBUG check
author
Alexander Popov
<alex.popov@linux.com>
Sat, 16 Dec 2023 23:11:53 +0000
(
02:11
+0300)
committer
Alexander Popov
<alex.popov@linux.com>
Sat, 16 Dec 2023 23:11:53 +0000
(
02:11
+0300)
kernel_hardening_checker/checks.py
patch
|
blob
|
history
diff --git
a/kernel_hardening_checker/checks.py
b/kernel_hardening_checker/checks.py
index 7c3d033adba4a485f9b2d4e0497e37b2f425bf2e..69a9fd960c90d8eb521cfa759d6d3c85f2173911 100644
(file)
--- a/
kernel_hardening_checker/checks.py
+++ b/
kernel_hardening_checker/checks.py
@@
-246,6
+246,7
@@
def add_kconfig_checks(l, arch):
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE
+ l += [KconfigCheck('security_policy', 'my', 'SECURITY_SELINUX_DEBUG', 'is not set')]
l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_SELINUX', 'y'),
KconfigCheck('security_policy', 'my', 'SECURITY_APPARMOR', 'y'),
KconfigCheck('security_policy', 'my', 'SECURITY_SMACK', 'y'),
l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_SELINUX', 'y'),
KconfigCheck('security_policy', 'my', 'SECURITY_APPARMOR', 'y'),
KconfigCheck('security_policy', 'my', 'SECURITY_SMACK', 'y'),