From: Alexander Popov Date: Tue, 9 Nov 2021 17:11:22 +0000 (+0300) Subject: Add more checks from grsecurity for cutting attack surface (part I) X-Git-Tag: v0.5.17~42 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=b20ddeadc6630d6e9ee6d44fa16dd4d99af01997;p=kconfig-hardened-check.git Add more checks from grsecurity for cutting attack surface (part I) This includes: - PUNIT_ATOM_DEBUG - ACPI_CONFIGFS - EDAC_DEBUG - DRM_I915_DEBUG - BCACHE_CLOSURES_DEBUG - DVB_C8SECTPFE - MTD_SLRAM - MTD_PHRAM --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 3b3b415..491fa87 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -511,6 +511,14 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'PUNIT_ATOM_DEBUG', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'ACPI_CONFIGFS', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'EDAC_DEBUG', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'DRM_I915_DEBUG', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'BCACHE_CLOSURES_DEBUG', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')] l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'), OptCheck('cut_attack_surface', 'my', 'PTDUMP_DEBUGFS', 'is not set'))]