SECURITY_DMESG_RESTRICT is more about cutting attack surface

author Alexander Popov <alex.popov@linux.com>

Sat, 13 Aug 2022 19:31:15 +0000 (22:31 +0300)

committer Alexander Popov <alex.popov@linux.com>

Sat, 13 Aug 2022 19:31:15 +0000 (22:31 +0300)
author Alexander Popov <alex.popov@linux.com>
Sat, 13 Aug 2022 19:31:15 +0000 (22:31 +0300)
committer Alexander Popov <alex.popov@linux.com>
Sat, 13 Aug 2022 19:31:15 +0000 (22:31 +0300)
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py

index 58028f86b4e2548300020abe270364b1ccc35989..1b26a252f6f6253866d30fc900ac60107a1df387 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -378,7 +378,6 @@ def add_kconfig_checks(l, arch):
          l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
  
      # 'self_protection', 'kspp'
-    l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
      l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
      l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
      l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
@@ -515,6 +514,7 @@ def add_kconfig_checks(l, arch):
                   devmem_not_set)] # refers to LOCKDOWN
  
      # 'cut_attack_surface', 'kspp'
+    l += [KconfigCheck('cut_attack_surface', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
      l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN
      l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')]
      l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN
author	Alexander Popov <alex.popov@linux.com>
	Sat, 13 Aug 2022 19:31:15 +0000 (22:31 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Sat, 13 Aug 2022 19:31:15 +0000 (22:31 +0300)