From: Alexander Popov Date: Tue, 4 Jul 2023 11:20:20 +0000 (+0300) Subject: Check disabling XFS_SUPPORT_V4 for cutting attack surface X-Git-Tag: v0.6.6~128 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=78675ceec3da0a4e99fe9cf5389078e50c14ef95;hp=940be276dfedf56d92ca08beac320a37426922c7;p=kconfig-hardened-check.git Check disabling XFS_SUPPORT_V4 for cutting attack surface The XFS V4 format is deprecated: https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25 Quote: The V4 filesystem format lacks certain features that are supported by the V5 format, such as metadata checksumming, strengthened metadata verification, and the ability to store timestamps past the year 2038. Because of this, the V4 format is deprecated. All users should upgrade by backing up their files, reformatting, and restoring from the backup... To close off an attack surface, say N. --- diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 3a58c70..d857ad1 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -365,6 +365,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)]