From: jvoisin <julien.voisin@dustri.org>
Date: Fri, 17 May 2024 00:20:28 +0000 (+0200)
Subject: Add a couple of grsecurity disabled options
X-Git-Tag: v0.6.10~19^2~8
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=e50b8cb45e5f747502b1003b61a7e9b6f11453fc;p=kconfig-hardened-check.git

Add a couple of grsecurity disabled options

This is based on a grsecurity 6.6 patch
---

diff --git a/README.md b/README.md
index 1cb7075..d470d3a 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ The security hardening recommendations are based on:
 
   - [KSPP recommended settings][1]
   - [CLIP OS kernel configuration][2]
-  - Last public [grsecurity][3] patch (options which they disable)
+  - [grsecurity][3] patch (options which they disable)
   - [SECURITY_LOCKDOWN_LSM][5] patchset
   - [Direct feedback from the Linux kernel maintainers][23]
 
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index f2e4c34..09e606e 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -364,6 +364,21 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [KconfigCheck('cut_attack_surface', 'grsec', 'SUNRPC_DEBUG', 'is not set')]
     l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'),
               KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))]
+    l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'),
+              KconfigCheck('cut_attack_surface', 'grsec', 'ARM_PTDUMP', 'is not set'))]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'X86_16BIT', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'BLK_DEV_UBLK', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'VCAP_KUNIT_TEST', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'SMB_SERVER', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'XFS_ONLINE_SCRUB_STATS', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'BUILD_SALT', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'CACHESTAT_SYSCALL', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'PREEMPTIRQ_TRACEPOINTS', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'ENABLE_DEFAULT_TRACERS', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROVE_LOCKING', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'MPTCP', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'TLS', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'grsec', 'TIPC', 'is not set')]
 
     # 'cut_attack_surface', 'maintainer'
     l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38