From: Alexander Popov <alex.popov@linux.com>
Date: Sun, 13 Mar 2022 22:28:18 +0000 (+0300)
Subject: Fix the BPF_UNPRIV_DEFAULT_OFF check (it is enabled by default)
X-Git-Tag: v0.5.17~25
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=860834d93c56279d0362432032883b6c81ae3ef5;p=kconfig-hardened-check.git

Fix the BPF_UNPRIV_DEFAULT_OFF check (it is enabled by default)
---

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index b5960d9..9dc59ae 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -499,6 +499,7 @@ def add_kconfig_checks(l, arch):
               loadpin_is_set)]
 
     # 'cut_attack_surface', 'defconfig'
+    l += [KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see unprivileged_bpf_disabled
     l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
     l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
@@ -608,7 +609,6 @@ def add_kconfig_checks(l, arch):
     # 'cut_attack_surface', 'my'
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
-    l += [KconfigCheck('cut_attack_surface', 'my', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see kernel.unprivileged_bpf_disabled
     l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
     l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]