From: jvoisin Date: Fri, 17 May 2024 00:20:28 +0000 (+0200) Subject: Add a couple of grsecurity disabled options X-Git-Tag: v0.6.10~19^2~8 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=e50b8cb45e5f747502b1003b61a7e9b6f11453fc;p=kconfig-hardened-check.git Add a couple of grsecurity disabled options This is based on a grsecurity 6.6 patch --- diff --git a/README.md b/README.md index 1cb7075..d470d3a 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ The security hardening recommendations are based on: - [KSPP recommended settings][1] - [CLIP OS kernel configuration][2] - - Last public [grsecurity][3] patch (options which they disable) + - [grsecurity][3] patch (options which they disable) - [SECURITY_LOCKDOWN_LSM][5] patchset - [Direct feedback from the Linux kernel maintainers][23] diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index f2e4c34..09e606e 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -364,6 +364,21 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'grsec', 'SUNRPC_DEBUG', 'is not set')] l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'), KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))] + l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'), + KconfigCheck('cut_attack_surface', 'grsec', 'ARM_PTDUMP', 'is not set'))] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'X86_16BIT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BLK_DEV_UBLK', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'VCAP_KUNIT_TEST', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'SMB_SERVER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'XFS_ONLINE_SCRUB_STATS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BUILD_SALT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'CACHESTAT_SYSCALL', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PREEMPTIRQ_TRACEPOINTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'ENABLE_DEFAULT_TRACERS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROVE_LOCKING', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MPTCP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'TLS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'TIPC', 'is not set')] # 'cut_attack_surface', 'maintainer' l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38