From: Alexander Popov Date: Sun, 13 Mar 2022 17:18:48 +0000 (+0300) Subject: Add BPF_UNPRIV_DEFAULT_OFF to cut_attack_surface X-Git-Tag: v0.5.17~28 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=1bd5e61d62044ba65a56481e75a5c29d5abdacf3;p=kconfig-hardened-check.git Add BPF_UNPRIV_DEFAULT_OFF to cut_attack_surface --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index ef7f276..35731e3 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -607,6 +607,7 @@ def add_kconfig_checks(l, arch): # 'cut_attack_surface', 'my' l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] + l += [KconfigCheck('cut_attack_surface', 'my', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see kernel.unprivileged_bpf_disabled l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]