From: Alexander Popov Date: Fri, 22 Apr 2022 09:34:49 +0000 (+0300) Subject: Separate out checking SECURITY_WRITABLE_HOOKS and SECURITY_SELINUX_DISABLE X-Git-Tag: v0.5.17~5 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=4444a0b7ca1413eaf99b0f8023e0e4f805724e7e;p=kconfig-hardened-check.git Separate out checking SECURITY_WRITABLE_HOOKS and SECURITY_SELINUX_DISABLE Thanks to @izh1979 for the idea. Combining these checks with OR is not correct. --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 07b467e..e3488fd 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -493,11 +493,11 @@ def add_kconfig_checks(l, arch): if arch == 'ARM': l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] - l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'), - KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] + l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') l += [loadpin_is_set] # needs userspace support