From: Alexander Popov Date: Mon, 10 Jun 2024 14:10:47 +0000 (+0300) Subject: Add the comment about 'if arch' for the 'cut_attack_surface' checks X-Git-Tag: v0.6.10~53 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;ds=sidebyside;h=40b32a181e9657b2af3bd9ecb97c71c5fe855204;p=kconfig-hardened-check.git Add the comment about 'if arch' for the 'cut_attack_surface' checks Refers to #135. --- diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index d3d5a83..f9b86d9 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -287,6 +287,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SMACK', 'y'), KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_TOMOYO', 'y'))] # one of major LSMs implementing MAC + # N.B. We don't use 'if arch' for the 'cut_attack_surface' checks that require 'is not set'. + # It makes the maintainance easier. These kernel options should be disabled anyway. # 'cut_attack_surface', 'defconfig' l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')] l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]