SECURITY_WRITABLE_HOOKS and SECURITY_SELINUX_DISABLE mean the same

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 14ff37aa3ca3ff4acf15db4cc2b16d7d7e2c83ee..5f12249033264479ed1acfa6f09d3c9d86ceeccb 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -346,6 +346,8 @@ def construct_checklist(checklist, arch):
     if arch == 'ARM':
         checklist.append(OptCheck('SECURITY',                               'y', 'kspp', 'security_policy')) # and choose your favourite LSM
     checklist.append(OptCheck('SECURITY_YAMA',                          'y', 'kspp', 'security_policy'))
+    checklist.append(OR(OptCheck('SECURITY_WRITABLE_HOOKS',             'is not set', 'my', 'security_policy'), \
+                        OptCheck('SECURITY_SELINUX_DISABLE',            'is not set', 'kspp', 'security_policy')))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM',                  'y', 'clipos', 'security_policy'))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY',            'y', 'clipos', 'security_policy'))
     checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy'))
@@ -354,7 +356,6 @@ def construct_checklist(checklist, arch):
     checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE',           'y', 'my', 'security_policy'), \
                          loadpin_is_set))
     checklist.append(OptCheck('SECURITY_SAFESETID',                     'y', 'my', 'security_policy'))
-    checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS',                'is not set', 'my', 'security_policy'))
 
     checklist.append(OptCheck('SECCOMP',              'y', 'defconfig', 'cut_attack_surface'))
     checklist.append(OptCheck('SECCOMP_FILTER',       'y', 'defconfig', 'cut_attack_surface'))