From: Julien Voisin <jvoisin@users.noreply.github.com>
Date: Sun, 19 May 2024 19:17:19 +0000 (+0000)
Subject: Merge branch 'master' into scs_pac
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=refs%2Fpull%2F131%2Fhead;hp=-c;p=kconfig-hardened-check.git

Merge branch 'master' into scs_pac
---

f6075e933d9ec15d4b0bc216f764acbdfb51235d
diff --combined kernel_hardening_checker/checks.py
index e0caab6,f2e4c34..672ea7e
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@@ -8,13 -8,14 +8,14 @@@ Author: Alexander Popov <alex.popov@lin
  This module contains knowledge for checks.
  """
  
- # pylint: disable=missing-function-docstring,line-too-long,invalid-name
+ # pylint: disable=missing-function-docstring,line-too-long
  # pylint: disable=too-many-branches,too-many-statements,too-many-locals
  
- from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
+ from typing import List
+ from .engine import StrOrNone, ChecklistObjType, KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
  
  
- def add_kconfig_checks(l, arch):
+ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
      assert(arch), 'empty arch'
  
      # Calling the KconfigCheck class constructor:
@@@ -241,7 -242,6 +242,7 @@@
      if arch == 'ARM64':
          l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
          l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')]
 +        l += [KconfigCheck('self_protection', 'kspp', 'UNWIND_PATCH_PAC_INTO_SCS', 'y')]
          l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic
      if arch == 'X86_32':
          l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
@@@ -423,7 -423,7 +424,7 @@@
          l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')]
  
  
- def add_cmdline_checks(l, arch):
+ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None:
      assert(arch), 'empty arch'
  
      # Calling the CmdlineCheck class constructor:
@@@ -631,7 -631,7 +632,7 @@@ no_kstrtobool_options = 
  ]
  
  
- def normalize_cmdline_options(option, value):
+ def normalize_cmdline_options(option: str, value: str) -> str:
      # Don't normalize the cmdline option values if
      # the Linux kernel doesn't use kstrtobool() for them
      if option in no_kstrtobool_options:
@@@ -647,7 -647,7 +648,7 @@@
      return value
  
  
- # TODO: draft of security hardening sysctls:
+ # Ideas of security hardening sysctls:
  #    what about bpf_jit_enable?
  #    vm.mmap_min_addr has a good value
  #    nosmt sysfs control file
@@@ -658,7 -658,7 +659,7 @@@
  #    kernel.warn_limit (think about a proper value)
  #    net.ipv4.tcp_syncookies=1 (?)
  
- def add_sysctl_checks(l, _arch):
+ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None:
  # This function may be called with arch=None
  
  # Calling the SysctlCheck class constructor: