Introduce the ARM_PTDUMP_DEBUGFS check

`X86_PTDUMP` is the old name of `PTDUMP_DEBUGFS`,
see the upstream kernel commit 2ae27137b2db89365f623a7694786cf6d1acb6c7.

`ARM_PTDUMP` is the old name of `ARM_PTDUMP_DEBUGFS`,
see the upstream kernel commit 4fb69cc4566f175839615cc4ef8828ae4d5341d9.

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 11cf397b71485269593ef077bf8ebe403f7d8a1c..dea6e0b4be377660bf0fda7d875370b16307a0c8 100755 (executable)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -393,8 +393,6 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [KconfigCheck('cut_attack_surface', 'grsec', 'SUNRPC_DEBUG', 'is not set')]
     l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'),
               KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))]
-    l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'),
-              KconfigCheck('cut_attack_surface', 'grsec', 'ARM_PTDUMP', 'is not set'))]
     l += [KconfigCheck('cut_attack_surface', 'grsec', 'X86_16BIT', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'grsec', 'BLK_DEV_UBLK', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'grsec', 'VCAP_KUNIT_TEST', 'is not set')]
@@ -452,6 +450,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
                                             # dangerous, only for debugging the kernel hardening features!
     l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
+    l += [AND(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'ARM_PTDUMP_DEBUGFS', 'is not set'),
+              KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'ARM_PTDUMP', 'is not set'))]
 
     # 'harden_userspace'
     if arch == 'ARM64':