projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
b23112f
)
Improve the CONFIG_CFI_CLANG checks (add the CONFIG_CC_IS_CLANG dependency)
author
Alexander Popov
<alex.popov@linux.com>
Mon, 25 Mar 2024 18:23:04 +0000
(21:23 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Mon, 25 Mar 2024 18:23:04 +0000
(21:23 +0300)
Refers to #102
kernel_hardening_checker/checks.py
patch
|
blob
|
history
diff --git
a/kernel_hardening_checker/checks.py
b/kernel_hardening_checker/checks.py
index 6b9db7a85f8a38962d3c791d06e1408632e48e73..10c3482bf0265b592ff4d43fcedeaee8f23d592a 100644
(file)
--- a/
kernel_hardening_checker/checks.py
+++ b/
kernel_hardening_checker/checks.py
@@
-138,7
+138,8
@@
def add_kconfig_checks(l, arch):
VersionCheck((6, 6, 8)))] # DEBUG_CREDENTIALS was dropped in v6.6.8
l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'),
AND(cfi_clang_is_set,
VersionCheck((6, 6, 8)))] # DEBUG_CREDENTIALS was dropped in v6.6.8
l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'),
AND(cfi_clang_is_set,
- cfi_clang_permissive_not_set))]
+ cfi_clang_permissive_not_set,
+ cc_is_clang))]
l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
vmap_stack_is_set)]
kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
vmap_stack_is_set)]
kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
@@
-206,9
+207,11
@@
def add_kconfig_checks(l, arch):
cc_is_gcc)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'ARM64'):
cc_is_gcc)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'ARM64'):
- l += [cfi_clang_is_set]
+ l += [AND(cfi_clang_is_set,
+ cc_is_clang)]
l += [AND(cfi_clang_permissive_not_set,
l += [AND(cfi_clang_permissive_not_set,
- cfi_clang_is_set)]
+ cfi_clang_is_set,
+ cc_is_clang)]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]