From: Alexander Popov Date: Tue, 9 Nov 2021 17:20:59 +0000 (+0300) Subject: Fix the 'decision' field of the IO_URING check X-Git-Tag: v0.5.17~41 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=557ddaa2eab85d6cad9abc0e0cccace82f8f0527;p=kconfig-hardened-check.git Fix the 'decision' field of the IO_URING check grsecurity disables IO_URING as well to cut attack surface --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 491fa87..eec0aa4 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -519,6 +519,7 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'IO_URING', 'is not set')] l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'), OptCheck('cut_attack_surface', 'my', 'PTDUMP_DEBUGFS', 'is not set'))] @@ -542,7 +543,6 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 l += [OptCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] - l += [OptCheck('cut_attack_surface', 'clipos', 'IO_URING', 'is not set')] l += [OptCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]