Add explicit checks for CONFIG_MODULES and CONFIG_DEVMEM

author Alexander Popov <alex.popov@linux.com>

Mon, 11 Mar 2019 15:21:18 +0000 (18:21 +0300)

committer Alexander Popov <alex.popov@linux.com>

Mon, 11 Mar 2019 15:33:29 +0000 (18:33 +0300)
author Alexander Popov <alex.popov@linux.com>
Mon, 11 Mar 2019 15:21:18 +0000 (18:21 +0300)
committer Alexander Popov <alex.popov@linux.com>
Mon, 11 Mar 2019 15:33:29 +0000 (18:33 +0300)
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py

index 83d1c0d85191d957282e780cb073a18c6727213c..fea5ef958b6eeec515cc9172cea07e825f6e86ca 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -231,6 +231,8 @@ def construct_checklist(arch):
          checklist.append(OR(OptCheck('STRICT_DEVMEM',     'y', 'defconfig', 'cut_attack_surface'), \
                              devmem_not_set)) # refers to LOCK_DOWN_KERNEL
  
+    checklist.append(modules_not_set)
+    checklist.append(devmem_not_set)
      checklist.append(OR(OptCheck('IO_STRICT_DEVMEM',  'y', 'kspp', 'cut_attack_surface'), \
                          devmem_not_set)) # refers to LOCK_DOWN_KERNEL
      if debug_mode or arch == 'ARM':
author	Alexander Popov <alex.popov@linux.com>
	Mon, 11 Mar 2019 15:21:18 +0000 (18:21 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Mon, 11 Mar 2019 15:33:29 +0000 (18:33 +0300)