From: Alexander Popov Date: Sun, 1 Sep 2024 17:24:02 +0000 (+0300) Subject: Split the cut_attack_surface checks that contain the renamed options X-Git-Tag: v0.6.10~6 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=ec90087a013204991037b741742108cc4c4aaa6f;p=kconfig-hardened-check.git Split the cut_attack_surface checks that contain the renamed options --- diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index dcdb251..665b8bc 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -412,10 +412,10 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'grsec', 'TIPC', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsec', 'IP_SCTP', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsec', 'KGDB', 'is not set')] - l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'), - KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))] - l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_CLOSURES', 'is not set'), - KconfigCheck('cut_attack_surface', 'grsec', 'BCACHE_CLOSURES_DEBUG', 'is not set'))] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set')] # the old name of PTDUMP_DEBUGFS + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_CLOSURES', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BCACHE_CLOSURES_DEBUG', 'is not set')] # the old name of DEBUG_CLOSURES # 'cut_attack_surface', 'clipos' l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] @@ -454,12 +454,12 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'XFS_SUPPORT_V4', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'FAULT_INJECTION', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'ARM_PTDUMP_DEBUGFS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'ARM_PTDUMP', 'is not set')] # the old name of ARM_PTDUMP_DEBUGFS l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'LKDTM', 'is not set')] # dangerous, only for debugging the kernel hardening features! l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] - l += [AND(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'ARM_PTDUMP_DEBUGFS', 'is not set'), - KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'ARM_PTDUMP', 'is not set'))] # 'harden_userspace' if arch == 'ARM64':