From: Alexander Popov <alex.popov@linux.com>
Date: Mon, 3 Jun 2019 23:43:58 +0000 (+0300)
Subject: Add the LDISC_AUTOLOAD check
X-Git-Tag: v0.5.2~11
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;ds=sidebyside;h=76f37eeca5b5d9d9c8801e588abe2951a5aabc99;p=kconfig-hardened-check.git

Add the LDISC_AUTOLOAD check

In fact we have a false positive here because the absence
of the disabled CONFIG_LDISC_AUTOLOAD means FAIL (line
disciplines are automatically loaded).

TODO: Introduce a special check for this type of cases.
---

diff --git a/README.md b/README.md
index 60efeb7..3f661fd 100644
--- a/README.md
+++ b/README.md
@@ -164,6 +164,7 @@ CONFIG_X86_VSYSCALL_EMULATION           | is not set  |  clipos  | cut_attack_su
 CONFIG_MAGIC_SYSRQ                      | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_KEXEC_FILE                       | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_USER_NS                          | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
+CONFIG_LDISC_AUTOLOAD                   | is not set  |  clipos  | cut_attack_surface ||       OK: not found        
 CONFIG_MMIOTRACE                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_LIVEPATCH                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_IP_DCCP                          | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
@@ -172,7 +173,7 @@ CONFIG_FTRACE                           | is not set  |    my    | cut_attack_su
 CONFIG_BPF_JIT                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_ARCH_MMAP_RND_BITS               |     32      |  clipos  |userspace_protection||         FAIL: "28"         
 
-[+] config check is finished: 'OK' - 49 / 'FAIL' - 71
+[+] config check is finished: 'OK' - 50 / 'FAIL' - 71
 ```
 
 
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 75f8cfd..cb59e39 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -353,6 +353,7 @@ def construct_checklist(arch):
     checklist.append(OptCheck('MAGIC_SYSRQ',              'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(OptCheck('KEXEC_FILE',               'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('USER_NS',                  'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0
+    checklist.append(OptCheck('LDISC_AUTOLOAD',           'is not set', 'clipos', 'cut_attack_surface'))
 
     checklist.append(OptCheck('MMIOTRACE',            'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'))