projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 547f607)
Add the 'kernel.kptr_restrict' check
authorAlexander Popov <alex.popov@linux.com>
Tue, 17 Oct 2023 15:52:57 +0000 (18:52 +0300)
committerAlexander Popov <alex.popov@linux.com>
Tue, 17 Oct 2023 15:52:57 +0000 (18:52 +0300)
kernel_hardening_checker/checks.py patch | blob | history

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 7476fde39f8aa2db3b499ab027ce37ade8e057f2..56d2f7499368d6ce6ca591eb5de97aaece137e9e 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -578,7 +578,6 @@ def normalize_cmdline_options(option, value):
 
 
 # TODO: draft of security hardening sysctls:
-#    kernel.kptr_restrict=2 (or 1?)
 #    kernel.yama.ptrace_scope=3
 #    what about bpf_jit_enable?
 #    vm.unprivileged_userfaultfd=0
@@ -615,3 +614,4 @@ def add_sysctl_checks(l, arch):
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
kconfig-hardened-check