projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
a486a64
)
SECURITY_DMESG_RESTRICT is recommended by KSPP now
author
Alexander Popov
<alex.popov@linux.com>
Sat, 19 Jun 2021 12:40:13 +0000
(15:40 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Sat, 19 Jun 2021 12:43:21 +0000
(15:43 +0300)
kconfig_hardened_check/__init__.py
patch
|
blob
|
history
diff --git
a/kconfig_hardened_check/__init__.py
b/kconfig_hardened_check/__init__.py
index 42d3eebdab15c2dd35b865832be708cb88251048..b2893d104f4946ff110d7e28f0a0480ba82c5065 100644
(file)
--- a/
kconfig_hardened_check/__init__.py
+++ b/
kconfig_hardened_check/__init__.py
@@
-36,7
+36,7
@@
#
# N.B. Hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
#
# N.B. Hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
-# kernel.dmesg_restrict=1
+# kernel.dmesg_restrict=1
(also see the kconfig option)
# kernel.perf_event_paranoid=3
# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
# kernel.perf_event_paranoid=3
# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
@@
-328,6
+328,7
@@
def construct_checklist(l, arch):
l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
# 'self_protection', 'kspp'
l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
# 'self_protection', 'kspp'
+ l += [OptCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
l += [OptCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
l += [OptCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
l += [OptCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
l += [OptCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
l += [OptCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
l += [OptCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
@@
-375,7
+376,6
@@
def construct_checklist(l, arch):
l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
# 'self_protection', 'clipos'
l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
# 'self_protection', 'clipos'
- l += [OptCheck('self_protection', 'clipos', 'SECURITY_DMESG_RESTRICT', 'y')]
l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')]
l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
l += [OptCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')]
l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')]
l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
l += [OptCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')]