projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
3224016
)
Drop the GCC_PLUGINS check (checking CC_IS_GCC is enough)
author
Alexander Popov
<alex.popov@linux.com>
Mon, 25 Mar 2024 17:40:15 +0000
(20:40 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Mon, 25 Mar 2024 17:40:15 +0000
(20:40 +0300)
Refers to #102
kernel_hardening_checker/checks.py
patch
|
blob
|
history
diff --git
a/kernel_hardening_checker/checks.py
b/kernel_hardening_checker/checks.py
index 99e8810fb324a4bc417b6a875d656b6bfb0af6f2..6b9db7a85f8a38962d3c791d06e1408632e48e73 100644
(file)
--- a/
kernel_hardening_checker/checks.py
+++ b/
kernel_hardening_checker/checks.py
@@
-26,7
+26,6
@@
def add_kconfig_checks(l, arch):
efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
- gcc_plugins_support_is_set = KconfigCheck('-', '-', 'GCC_PLUGINS', 'y')
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
@@
-159,7
+158,6
@@
def add_kconfig_checks(l, arch):
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
modules_not_set)]
cc_is_gcc)]
l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
modules_not_set)]
@@
-199,15
+197,12
@@
def add_kconfig_checks(l, arch):
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [AND(stackleak_is_set,
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [AND(stackleak_is_set,
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_METRICS', 'is not set'),
stackleak_is_set,
cc_is_gcc)]
l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_METRICS', 'is not set'),
stackleak_is_set,
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
stackleak_is_set,
cc_is_gcc)]
l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
stackleak_is_set,
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'ARM64'):
cc_is_gcc)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'ARM64'):