projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
416f4a9
)
No need in BPF_UNPRIV_DEFAULT_OFF if BPF_SYSCALL is disabled
author
Alexander Popov
<alex.popov@linux.com>
Fri, 8 Apr 2022 21:05:38 +0000
(
00:05
+0300)
committer
Alexander Popov
<alex.popov@linux.com>
Fri, 8 Apr 2022 21:05:38 +0000
(
00:05
+0300)
kconfig_hardened_check/__init__.py
patch
|
blob
|
history
diff --git
a/kconfig_hardened_check/__init__.py
b/kconfig_hardened_check/__init__.py
index 9400d26c59d5e18bdd5adebc9c6fab77190c1606..ebc13811767c867ff556d629bce3fd5fbf66a79a 100644
(file)
--- a/
kconfig_hardened_check/__init__.py
+++ b/
kconfig_hardened_check/__init__.py
@@
-314,6
+314,7
@@
def add_kconfig_checks(l, arch):
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
+ bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN
efi_not_set = KconfigCheck('cut_attack_surface', 'my', 'EFI', 'is not set')
# 'self_protection', 'defconfig'
efi_not_set = KconfigCheck('cut_attack_surface', 'my', 'EFI', 'is not set')
# 'self_protection', 'defconfig'
@@
-494,7
+495,8
@@
def add_kconfig_checks(l, arch):
loadpin_is_set)]
# 'cut_attack_surface', 'defconfig'
loadpin_is_set)]
# 'cut_attack_surface', 'defconfig'
- l += [KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see unprivileged_bpf_disabled
+ l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y'),
+ bpf_syscall_not_set)] # see unprivileged_bpf_disabled
l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
if arch in ('X86_64', 'ARM64', 'X86_32'):
@@
-596,8
+598,8
@@
def add_kconfig_checks(l, arch):
l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off
# 'cut_attack_surface', 'lockdown'
+ l += [bpf_syscall_not_set] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
- l += [KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN