From: Alexander Popov <alex.popov@linux.com>
Date: Sun, 23 Jul 2023 21:18:49 +0000 (+0300)
Subject: Check the kernel.kexec_load_disabled sysctl
X-Git-Tag: v0.6.6~108
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=181c2d9b5cc2c9a71f470ff78bb1a2cfc44a55d3;p=kconfig-hardened-check.git

Check the kernel.kexec_load_disabled sysctl
---

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index e9ac9da..bffc68c 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -577,7 +577,6 @@ def normalize_cmdline_options(option, value):
 def add_sysctl_checks(l, arch):
 # TODO: draft of security hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
-#    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
 #    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
@@ -610,3 +609,4 @@ def add_sysctl_checks(l, arch):
 
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]