Add CLIP OS recommendation about CONFIG_STAGING

author Alexander Popov <alex.popov@linux.com>

Fri, 6 Mar 2020 21:53:06 +0000 (00:53 +0300)

committer Alexander Popov <alex.popov@linux.com>

Fri, 6 Mar 2020 21:53:06 +0000 (00:53 +0300)
author Alexander Popov <alex.popov@linux.com>
Fri, 6 Mar 2020 21:53:06 +0000 (00:53 +0300)
committer Alexander Popov <alex.popov@linux.com>
Fri, 6 Mar 2020 21:53:06 +0000 (00:53 +0300)
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py

index 85a0d2fb8086c40a034c49b0da9d845ddf68b28b..d2caafd70f3ad80f239db0f3b048c3b03bff46e8 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -410,6 +410,7 @@ def construct_checklist(checklist, arch):
      checklist.append(OptCheck('BPF_SYSCALL',          'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
      checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
  
+    checklist.append(OptCheck('STAGING',                  'is not set', 'clipos', 'cut_attack_surface'))
      checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
  #   checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)
      checklist.append(OptCheck('KALLSYMS',                 'is not set', 'clipos', 'cut_attack_surface'))
author	Alexander Popov <alex.popov@linux.com>
	Fri, 6 Mar 2020 21:53:06 +0000 (00:53 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Fri, 6 Mar 2020 21:53:06 +0000 (00:53 +0300)