From: Alexander Popov Date: Sun, 9 Oct 2022 21:55:21 +0000 (+0300) Subject: Drop some of my security policy recommendations X-Git-Tag: v0.6.1~73 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=57eb765813d3f4482fcc351528df6937402db6e7;p=kconfig-hardened-check.git Drop some of my security policy recommendations --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 98a3493..5855cf0 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -12,7 +12,6 @@ # # N.B Hardening command line parameters: # iommu=force (does it help against DMA attacks?) -# loadpin.enforce=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -540,11 +539,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE - l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] - loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') - l += [loadpin_is_set] # needs userspace support - l += [AND(KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN_ENFORCE', 'y'), - loadpin_is_set)] # 'cut_attack_surface', 'defconfig' l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y'),