From: Alexander Popov <alex.popov@linux.com>
Date: Mon, 11 Mar 2019 15:21:18 +0000 (+0300)
Subject: Add explicit checks for CONFIG_MODULES and CONFIG_DEVMEM
X-Git-Tag: v0.5.2~43
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=30b0806bc19a138618027b75e9223f50076f8ca8;hp=dfa4ccc71efd78f1962d695fc88982cbe24021fb;p=kconfig-hardened-check.git

Add explicit checks for CONFIG_MODULES and CONFIG_DEVMEM

I like this hack. Now the script recommends to disable modules and
devmem OR harden them at least.
---

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 83d1c0d..fea5ef9 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -231,6 +231,8 @@ def construct_checklist(arch):
         checklist.append(OR(OptCheck('STRICT_DEVMEM',     'y', 'defconfig', 'cut_attack_surface'), \
                             devmem_not_set)) # refers to LOCK_DOWN_KERNEL
 
+    checklist.append(modules_not_set)
+    checklist.append(devmem_not_set)
     checklist.append(OR(OptCheck('IO_STRICT_DEVMEM',  'y', 'kspp', 'cut_attack_surface'), \
                         devmem_not_set)) # refers to LOCK_DOWN_KERNEL
     if debug_mode or arch == 'ARM':