From: Alexander Popov Date: Sun, 30 Apr 2023 22:16:03 +0000 (+0300) Subject: Improve the COMPAT_VDSO check X-Git-Tag: v0.6.6~165 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=22728555223c98630180c2f642cc7e369424bd8a;p=kconfig-hardened-check.git Improve the COMPAT_VDSO check CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32. On ARM64 this option has different meaning (see the mainline commit 7c4791c9efca8c105a86022f7d5532aeaa819125). Thanks to @izh1979 for the idea --- diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index cc71ef1..43a4c64 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -288,7 +288,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN @@ -308,6 +307,10 @@ def add_kconfig_checks(l, arch): devmem_not_set)] # refers to LOCKDOWN l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'), KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))] + if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] + # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32; + # on ARM64 this option has different meaning if arch == 'ARM': l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN