From: Alexander Popov Date: Thu, 28 Dec 2023 11:33:10 +0000 (+0300) Subject: Change the 'decision' of the INIT_STACK_ALL_ZERO check X-Git-Tag: v0.6.6~30 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=f386b2e12c9f839e784516c08e49b2303cd5777a;p=kconfig-hardened-check.git Change the 'decision' of the INIT_STACK_ALL_ZERO check --- diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 64c69a6..0f8722c 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -53,6 +53,8 @@ def add_kconfig_checks(l, arch): modules_not_set)] # DEBUG_SET_MODULE_RONX was before v4.11 l += [OR(KconfigCheck('self_protection', 'defconfig', 'REFCOUNT_FULL', 'y'), VersionCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5 + l += [OR(KconfigCheck('self_protection', 'defconfig', 'INIT_STACK_ALL_ZERO', 'y'), + KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] if arch in ('X86_64', 'ARM64', 'X86_32'): l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')] if arch in ('X86_64', 'ARM64', 'ARM'): @@ -154,8 +156,6 @@ def add_kconfig_checks(l, arch): modules_not_set)] l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'), modules_not_set)] # refers to LOCKDOWN - l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'), - KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.