From: Alexander Popov <alex.popov@linux.com>
Date: Fri, 22 Apr 2022 09:34:49 +0000 (+0300)
Subject: Separate out checking SECURITY_WRITABLE_HOOKS and SECURITY_SELINUX_DISABLE
X-Git-Tag: v0.5.17~5
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=4444a0b7ca1413eaf99b0f8023e0e4f805724e7e;p=kconfig-hardened-check.git

Separate out checking SECURITY_WRITABLE_HOOKS and SECURITY_SELINUX_DISABLE

Thanks to @izh1979 for the idea.
Combining these checks with OR is not correct.
---

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 07b467e..e3488fd 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -493,11 +493,11 @@ def add_kconfig_checks(l, arch):
     if arch == 'ARM':
         l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM
     l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')]
-    l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'),
-             KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))]
+    l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')]
     l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')]
     l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
     l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
+    l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE
     l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')]
     loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y')
     l += [loadpin_is_set] # needs userspace support