From: Alexander Popov Date: Sat, 11 Jan 2020 12:05:11 +0000 (+0300) Subject: Recommend disabling VIDEO_VIVID X-Git-Tag: v0.5.5~48 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=981bd163fa19fccbc5ce5d4182e639d67e484475;p=kconfig-hardened-check.git Recommend disabling VIDEO_VIVID The vivid driver is for testing. It doesn't require any special hardware. It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise and openSUSE. On Ubuntu the devices created by this driver are available to the normal user, since Ubuntu applies RW ACL when the user is logged in. See the disclosure of CVE-2019-18683 which I've found and fixed in vivid driver: https://www.openwall.com/lists/oss-security/2019/11/02/1 --- diff --git a/README.md b/README.md index c5fdfb1..63d7952 100644 --- a/README.md +++ b/README.md @@ -178,9 +178,10 @@ CONFIG_IP_DCCP | is not set | my | cut_atta CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" +CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] config check is finished: 'OK' - 49 / 'FAIL' - 76 +[+] config check is finished: 'OK' - 49 / 'FAIL' - 77 ``` ## kconfig-hardened-check versioning diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 2448717..d5215b1 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -380,6 +380,7 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('IP_SCTP', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface')) + checklist.append(OptCheck('VIDEO_VIVID', 'is not set', 'my', 'cut_attack_surface')) if debug_mode or arch == 'X86_32': checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface'))