Add io_uring_disabled sysctl check

author Willenst <willenst@gmail.com>

Mon, 26 Aug 2024 08:40:01 +0000 (10:40 +0200)

committer Willenst <willenst@gmail.com>

Mon, 26 Aug 2024 08:40:01 +0000 (10:40 +0200)
author Willenst <willenst@gmail.com>
Mon, 26 Aug 2024 08:40:01 +0000 (10:40 +0200)
committer Willenst <willenst@gmail.com>
Mon, 26 Aug 2024 08:40:01 +0000 (10:40 +0200)
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py

index 6fcb07df8763b4ccf39f5585161a1d3877846103..0cc9e58dc02abfd821310b6d7d5f1e7684687754 100755 (executable)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -748,6 +748,10 @@ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None:
               AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'),
                   have_kconfig))] # radical, but may be useful in some cases
  
+    l += [OR(SysctlCheck('cut_attack_surface', 'grsec', 'kernel.io_uring_disabled', '2'),
+             AND(KconfigCheck('cut_attack_surface', 'grsec', 'IO_URING', 'is not set'),
+                 have_kconfig))] # compatible with the 'IO_URING' kconfig check by grsecurity
+
      l += [OR(SysctlCheck('cut_attack_surface', 'a13xp0p0v', 'kernel.sysrq', '0'),
               AND(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'),
                   have_kconfig))]
author	Willenst <willenst@gmail.com>
	Mon, 26 Aug 2024 08:40:01 +0000 (10:40 +0200)
committer	Willenst <willenst@gmail.com>
	Mon, 26 Aug 2024 08:40:01 +0000 (10:40 +0200)