From: Alexander Popov Date: Thu, 21 Jul 2022 10:09:50 +0000 (+0300) Subject: Improve the STACKPROTECTOR check X-Git-Tag: v0.6.1~120 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=3bdbc3ae2151be51359684bbef358a1e0133861a;p=kconfig-hardened-check.git Improve the STACKPROTECTOR check The Linux kernel 4.16-4.17 has a weird STACKPROTECTOR configuration: CC_STACKPROTECTOR_NONE -- stackprotector is disabled; CC_STACKPROTECTOR_REGULAR -- similar to current STACKPROTECTOR; CC_STACKPROTECTOR_STRONG -- similar to current STACKPROTECTOR_STRONG; CC_STACKPROTECTOR_AUTO -- the best stack-protector that compiler provides. These options are mutually exclusive. Let's improve the STACKPROTECTOR check: - Add CC_STACKPROTECTOR_REGULAR as a valid alternative name of this option; - Add CC_STACKPROTECTOR_STRONG to avoid false negative result; - Add CC_STACKPROTECTOR_AUTO hoping that it enables at least STACKPROTECTOR. The STACKPROTECTOR_STRONG check still requires explicit configuration, not CC_STACKPROTECTOR_AUTO. Thanks to @izh1979 for the idea --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 3daddcb..b6e2cc3 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -321,7 +321,10 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'), - KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'))] + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_REGULAR', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_AUTO', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'), KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'),