Add the comment about 'if arch' for the 'cut_attack_surface' checks

author Alexander Popov <alex.popov@linux.com>

Mon, 10 Jun 2024 14:10:47 +0000 (17:10 +0300)

committer Alexander Popov <alex.popov@linux.com>

Mon, 10 Jun 2024 14:10:47 +0000 (17:10 +0300)
author Alexander Popov <alex.popov@linux.com>
Mon, 10 Jun 2024 14:10:47 +0000 (17:10 +0300)
committer Alexander Popov <alex.popov@linux.com>
Mon, 10 Jun 2024 14:10:47 +0000 (17:10 +0300)
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py

index d3d5a8338e534596c5f485f04f7b932f053f2ba6..f9b86d91c1d5d096bfc1e370b051f42c91ebc381 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -287,6 +287,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
               KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SMACK', 'y'),
               KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_TOMOYO', 'y'))] # one of major LSMs implementing MAC
  
               KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SMACK', 'y'),
               KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_TOMOYO', 'y'))] # one of major LSMs implementing MAC
  
+    # N.B. We don't use 'if arch' for the 'cut_attack_surface' checks that require 'is not set'.
+    # It makes the maintainance easier. These kernel options should be disabled anyway.
      # 'cut_attack_surface', 'defconfig'
      l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
      l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
      # 'cut_attack_surface', 'defconfig'
      l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
      l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
author	Alexander Popov <alex.popov@linux.com>
	Mon, 10 Jun 2024 14:10:47 +0000 (17:10 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Mon, 10 Jun 2024 14:10:47 +0000 (17:10 +0300)