import json
from .__about__ import __version__
from .checks import add_kconfig_checks, add_cmdline_checks, normalize_cmdline_options
-from .engine import populate_with_data, perform_checks
+from .engine import populate_with_data, perform_checks, override_expected_value
def _open(file: str, *args, **kwargs):
parse_cmdline_file(parsed_cmdline_options, args.cmdline)
populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline')
+ # hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
+ mmap_rnd_bits_max = parsed_kconfig_options.get('CONFIG_ARCH_MMAP_RND_BITS_MAX', None)
+ if mmap_rnd_bits_max:
+ override_expected_value(config_checklist, 'CONFIG_ARCH_MMAP_RND_BITS', mmap_rnd_bits_max)
+
# now everything is ready, perform the checks
perform_checks(config_checklist)
# kernel.randomize_va_space=2
# nosmt sysfs control file
# dev.tty.legacy_tiocsti=0
+# vm.mmap_rnd_bits=max (?)
#
# Think of these boot params:
# module.sig_enforce=1
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
if arch in ('ARM', 'X86_32'):
l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
- if arch in ('X86_64', 'ARM64'):
- l += [KconfigCheck('harden_userspace', 'clipos', 'ARCH_MMAP_RND_BITS', '32')]
- if arch in ('X86_32', 'ARM'):
- l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')]
+ l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
def add_cmdline_checks(l, arch):
projects / kconfig-hardened-check.git / commitdiff