kconfig-hardened-check.git
6 months agoAdd more typing annotations to test_engine.py
Alexander Popov [Mon, 13 May 2024 15:52:39 +0000 (18:52 +0300)]
Add more typing annotations to test_engine.py

Annotate all functions to enable mypy checking for them.

6 months agoFix mypy typing warnings for ChecklistObjType
Alexander Popov [Mon, 13 May 2024 15:16:37 +0000 (18:16 +0300)]
Fix mypy typing warnings for ChecklistObjType

6 months agoAdd more precise typing for checklist: List[ChecklistObjType]
Alexander Popov [Mon, 13 May 2024 15:12:35 +0000 (18:12 +0300)]
Add more precise typing for checklist: List[ChecklistObjType]

6 months agoFix assertion style
Alexander Popov [Mon, 13 May 2024 13:26:42 +0000 (16:26 +0300)]
Fix assertion style

Make assertions look similarly.

6 months agoFix mypy typing warnings in engine.py
Alexander Popov [Sun, 12 May 2024 23:27:07 +0000 (02:27 +0300)]
Fix mypy typing warnings in engine.py

6 months agoAdd more typing annotations to engine.py
Alexander Popov [Mon, 13 May 2024 12:07:08 +0000 (15:07 +0300)]
Add more typing annotations to engine.py

Annotate all functions to enable mypy checking for them.

6 months agoMove print_unknown_options() to engine.py
Alexander Popov [Mon, 13 May 2024 11:57:26 +0000 (14:57 +0300)]
Move print_unknown_options() to engine.py

That is better for specifying typing.

6 months agoAdd more precise typing for OrderedDict
Alexander Popov [Sun, 12 May 2024 20:13:57 +0000 (23:13 +0300)]
Add more precise typing for OrderedDict

6 months agoAdd more typing annotations to checks.py
Alexander Popov [Sun, 12 May 2024 16:20:33 +0000 (19:20 +0300)]
Add more typing annotations to checks.py

Annotate all functions to enable mypy checking for them.

6 months agoMake the static typing work for Python v3.8
Alexander Popov [Sun, 12 May 2024 16:15:23 +0000 (19:15 +0300)]
Make the static typing work for Python v3.8

Kind of hackish :)

6 months agoFix mypy typing warnings in __init__.py
Alexander Popov [Sun, 12 May 2024 15:31:23 +0000 (18:31 +0300)]
Fix mypy typing warnings in __init__.py

6 months agoAdd more typing annotations to __init__.py
Alexander Popov [Sun, 12 May 2024 15:29:25 +0000 (18:29 +0300)]
Add more typing annotations to __init__.py

Annotate all functions to enable mypy checking for them.

6 months agoFix pylint warnings in _open
Alexander Popov [Sun, 12 May 2024 15:21:44 +0000 (18:21 +0300)]
Fix pylint warnings in _open

6 months agoFix mypy warning in _open()
Alexander Popov [Sun, 12 May 2024 13:44:29 +0000 (16:44 +0300)]
Fix mypy warning in _open()

kernel_hardening_checker/__init__.py:28: error: Incompatible types in assignment (expression has type overloaded function, variable has type overloaded function)  [assignment]

Refactor the _open function to fix this and add the type hint by the way.

6 months agoFix mypy warning in json_dump()
Alexander Popov [Sun, 12 May 2024 13:28:03 +0000 (16:28 +0300)]
Fix mypy warning in json_dump()

kernel_hardening_checker/engine.py:119: error: "None" has no attribute "startswith"  [attr-defined]

The `json_dump()` function printing the results should not be called
for the OptCheck and ComplexOptCheck objects with empty results.

6 months agoMerge branch 'master' into typing
Julien Voisin [Fri, 3 May 2024 12:51:07 +0000 (12:51 +0000)]
Merge branch 'master' into typing

6 months agoCI: Don't run the tests with coverage control for pull requests
Alexander Popov [Fri, 3 May 2024 11:26:39 +0000 (14:26 +0300)]
CI: Don't run the tests with coverage control for pull requests

Refers to #126

6 months agoCI: Add a functional test without collecting coverage (tired of codecov failures)
Alexander Popov [Thu, 2 May 2024 13:02:03 +0000 (16:02 +0300)]
CI: Add a functional test without collecting coverage (tired of codecov failures)

6 months agoCI: Fix the name of engine_unit-test_no_coverage (II)
Alexander Popov [Thu, 2 May 2024 12:57:46 +0000 (15:57 +0300)]
CI: Fix the name of engine_unit-test_no_coverage (II)

6 months agoCI: Fix the name of engine_unit-test_no_coverage
Alexander Popov [Thu, 2 May 2024 12:53:37 +0000 (15:53 +0300)]
CI: Fix the name of engine_unit-test_no_coverage

6 months agoCI: Add a unit-test without collecting coverage (tired of codecov failures)
Alexander Popov [Thu, 2 May 2024 12:50:53 +0000 (15:50 +0300)]
CI: Add a unit-test without collecting coverage (tired of codecov failures)

6 months agoMerge branch 'skip_sysctl'
Alexander Popov [Thu, 2 May 2024 12:19:05 +0000 (15:19 +0300)]
Merge branch 'skip_sysctl'

Refers to #125.

Thanks for the collaboration, @cotequeiroz

6 months agoStyle fixes, should be no functional changes 125/head
Alexander Popov [Thu, 2 May 2024 12:15:44 +0000 (15:15 +0300)]
Style fixes, should be no functional changes

6 months agoFix the reason and decision of the KEXEC_CORE check
Alexander Popov [Thu, 2 May 2024 12:09:46 +0000 (15:09 +0300)]
Fix the reason and decision of the KEXEC_CORE check

KSPP doesn't recommend to disable it.

Refers to #125

6 months agoFix the reason and decision of the BPF_JIT check
Alexander Popov [Thu, 2 May 2024 11:52:27 +0000 (14:52 +0300)]
Fix the reason and decision of the BPF_JIT check

KSPP doesn't recommend to disable it.

Refers to #125

6 months agoRestore the `dev.tty.legacy_tiocsti` check
Alexander Popov [Thu, 2 May 2024 10:30:42 +0000 (13:30 +0300)]
Restore the `dev.tty.legacy_tiocsti` check

The kernel documentations says:
```
Historically the kernel has allowed TIOCSTI, which will push
characters into a controlling TTY. This continues to be used
as a malicious privilege escalation mechanism, and provides no
meaningful real-world utility any more. Its use is considered
a dangerous legacy operation, and can be disabled on most
systems.
```
https://elixir.bootlin.com/linux/v6.8.8/source/drivers/tty/Kconfig#L152

In other words, not having the `dev.tty.legacy_tiocsti` sysctl means that
the dangerous functionality is enabled by default.

6 months agoUse CONFIG_LOCALVERSION instead of CONFIG_DEFAULT_INIT since it's older
Alexander Popov [Thu, 2 May 2024 09:32:58 +0000 (12:32 +0300)]
Use CONFIG_LOCALVERSION instead of CONFIG_DEFAULT_INIT since it's older

6 months agoskip kernel.modules_disabled if MODULES not set
Eneas U de Queiroz [Mon, 8 Apr 2024 21:09:56 +0000 (18:09 -0300)]
skip kernel.modules_disabled if MODULES not set

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
6 months agoSkip unprivileged_userfaultfd if USERFAULTFD unset
Eneas U de Queiroz [Fri, 10 Nov 2023 18:21:19 +0000 (15:21 -0300)]
Skip unprivileged_userfaultfd if USERFAULTFD unset

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
6 months agoDon't fail if dev.tty.legacy_tiocsti not found
Eneas U de Queiroz [Fri, 10 Nov 2023 18:02:57 +0000 (15:02 -0300)]
Don't fail if dev.tty.legacy_tiocsti not found

The sysctl is available for Kernel 6.2 and later only.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
6 months agoSkip unprivileged_bpf_disabled if BPF_SYSCALL not set
Eneas U de Queiroz [Wed, 6 Sep 2023 17:20:53 +0000 (14:20 -0300)]
Skip unprivileged_bpf_disabled if BPF_SYSCALL not set

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
6 months agoSkip kexec_load_disabled if KEXEC_CORE is not set
Eneas U de Queiroz [Wed, 6 Sep 2023 17:20:53 +0000 (14:20 -0300)]
Skip kexec_load_disabled if KEXEC_CORE is not set

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
6 months agoSkip bpf_jit_harden sysctl if BPF_JIT is not set
Eneas U de Queiroz [Wed, 6 Sep 2023 17:20:53 +0000 (14:20 -0300)]
Skip bpf_jit_harden sysctl if BPF_JIT is not set

Also, switch the test for root sysctl to the 'kernel.cad_pid' symbol.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
6 months agoMerge branch 'cpu_depend'
Alexander Popov [Tue, 30 Apr 2024 16:53:56 +0000 (19:53 +0300)]
Merge branch 'cpu_depend'

Thanks, @cotequeiroz.

Refers to #123

6 months agoAdd some lightweight typing
jvoisin [Mon, 15 Apr 2024 12:49:22 +0000 (14:49 +0200)]
Add some lightweight typing

6 months agoFix the reason and decision for CPU_SUP_INTEL 123/head
Alexander Popov [Tue, 30 Apr 2024 08:02:32 +0000 (11:02 +0300)]
Fix the reason and decision for CPU_SUP_INTEL

6 months agoStyle fixes
Alexander Popov [Tue, 30 Apr 2024 07:59:34 +0000 (10:59 +0300)]
Style fixes

6 months agoSkip CPU-dependent checks if CPU is not supported
Eneas U de Queiroz [Wed, 6 Sep 2023 13:30:27 +0000 (10:30 -0300)]
Skip CPU-dependent checks if CPU is not supported

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
6 months agoLike grep, colorize the output only if stdout is connected to a terminal
Alexander Popov [Sun, 21 Apr 2024 22:39:17 +0000 (01:39 +0300)]
Like grep, colorize the output only if stdout is connected to a terminal

Nice.
With this, if you redirect the output of kernel-hardening-checker to a file,
it doesn't contain the ANSI escape sequences for colorizing.

6 months agoDon't use the `type` name for the class methods
Alexander Popov [Sun, 21 Apr 2024 00:12:20 +0000 (03:12 +0300)]
Don't use the `type` name for the class methods

There should be no functional changes

6 months agoAdd the BLK_DEV_WRITE_MOUNTED/bdev_allow_write_mounted check
Alexander Popov [Thu, 18 Apr 2024 06:27:38 +0000 (09:27 +0300)]
Add the BLK_DEV_WRITE_MOUNTED/bdev_allow_write_mounted check

And fix the check order by the way.

Thanks to @izh1979 for the idea

6 months agoCI: codecov-action@v3.1.5 with token doesn't work well, go to v4 (facepalm)
Alexander Popov [Wed, 17 Apr 2024 17:47:09 +0000 (20:47 +0300)]
CI: codecov-action@v3.1.5 with token doesn't work well, go to v4 (facepalm)

6 months agoCI: Return to codecov-action@v3.1.5, but with tokens
Alexander Popov [Wed, 17 Apr 2024 17:32:59 +0000 (20:32 +0300)]
CI: Return to codecov-action@v3.1.5, but with tokens

codecov-action@v4 is unstable and sometimes gives the error:
```
Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov' failed with exit code 1
```

6 months agoCI: Update python versions
Alexander Popov [Wed, 17 Apr 2024 17:30:02 +0000 (20:30 +0300)]
CI: Update python versions

6 months agoAdd the links to the corresponding codecov pages in the README badges
Alexander Popov [Wed, 17 Apr 2024 17:08:30 +0000 (20:08 +0300)]
Add the links to the corresponding codecov pages in the README badges

6 months agoCI: Move to codecov-action@4
Alexander Popov [Wed, 17 Apr 2024 16:58:53 +0000 (19:58 +0300)]
CI: Move to codecov-action@4

Again, trying to fix the error
```
Codecov: Failed to properly upload: The process '/home/runner/work/_actions/codecov/codecov-action/v3/dist/codecov' failed with exit code 255
```
https://github.com/codecov/codecov-action/issues/598

6 months agoCI: Move to codecov-action@v3.1.5
Alexander Popov [Wed, 17 Apr 2024 16:46:41 +0000 (19:46 +0300)]
CI: Move to codecov-action@v3.1.5

Trying to fix the error
```
Codecov: Failed to properly upload: The process '/home/runner/work/_actions/codecov/codecov-action/v3/dist/codecov' failed with exit code 255
```
https://github.com/codecov/codecov-action/issues/598

6 months agoMerge branch 'shstk'
Alexander Popov [Wed, 17 Apr 2024 16:27:42 +0000 (19:27 +0300)]
Merge branch 'shstk'

Refers to #114, #120

Thanks, @jvoisin.

6 months agoFix 'decision' for the X86_USER_SHADOW_STACK check 120/head
Alexander Popov [Wed, 17 Apr 2024 16:12:12 +0000 (19:12 +0300)]
Fix 'decision' for the X86_USER_SHADOW_STACK check

Refers to #114, #120

7 months agoAdd a check for X86_USER_SHADOW_STACK
jvoisin [Mon, 15 Apr 2024 12:05:42 +0000 (14:05 +0200)]
Add a check for X86_USER_SHADOW_STACK

This should close #114

7 months agoAdd a comment that 'user.max_user_namespaces=0' may break the upower daemon
Alexander Popov [Sat, 30 Mar 2024 11:36:34 +0000 (14:36 +0300)]
Add a comment that 'user.max_user_namespaces=0' may break the upower daemon

7 months agoUpdate the README
Alexander Popov [Mon, 25 Mar 2024 19:16:38 +0000 (22:16 +0300)]
Update the README

7 months agoImprove the CONFIG_CFI_CLANG checks (add the CONFIG_CC_IS_CLANG dependency)
Alexander Popov [Mon, 25 Mar 2024 18:23:04 +0000 (21:23 +0300)]
Improve the CONFIG_CFI_CLANG checks (add the CONFIG_CC_IS_CLANG dependency)

Refers to #102

7 months agoDrop the GCC_PLUGINS check (checking CC_IS_GCC is enough)
Alexander Popov [Mon, 25 Mar 2024 17:40:15 +0000 (20:40 +0300)]
Drop the GCC_PLUGINS check (checking CC_IS_GCC is enough)

Refers to #102

7 months agoAdd the CONFIG_CC_IS_GCC dependency for gcc plugins
Alexander Popov [Mon, 25 Mar 2024 16:15:23 +0000 (19:15 +0300)]
Add the CONFIG_CC_IS_GCC dependency for gcc plugins

Refers to #102

7 months agoDon't require GCC_PLUGINS separately
Alexander Popov [Mon, 25 Mar 2024 07:18:25 +0000 (10:18 +0300)]
Don't require GCC_PLUGINS separately

It's auxiliary for building with gcc and it's not needed for building with
clang.

Refers to #102

7 months agoRename the 'my' check decision to 'a13xp0p0v'
Alexander Popov [Sun, 24 Mar 2024 12:52:40 +0000 (15:52 +0300)]
Rename the 'my' check decision to 'a13xp0p0v'

'my' checks look like the checks created by a user of the tool.
Let's fix that and take the responsibility :)

Refers to #50

7 months agoMake the table column names and JSON field names fit each other
Alexander Popov [Sun, 17 Mar 2024 22:38:54 +0000 (01:38 +0300)]
Make the table column names and JSON field names fit each other

Refers to #108, #115

7 months agoMerge remote-tracking branch 'krishjainx/improve-json-output'
Alexander Popov [Sun, 17 Mar 2024 22:16:51 +0000 (01:16 +0300)]
Merge remote-tracking branch 'krishjainx/improve-json-output'

Refers to #108, #115

7 months agoupdate 115/head
krishjainx [Sun, 17 Mar 2024 21:43:01 +0000 (17:43 -0400)]
update

8 months agofix issues
krishjainx [Sun, 17 Mar 2024 07:20:27 +0000 (03:20 -0400)]
fix issues

8 months agoFix tests to work with new JSON schema
krishjainx [Thu, 14 Mar 2024 10:21:54 +0000 (06:21 -0400)]
Fix tests to work with new JSON schema

8 months agoImprove JSON output format for enhanced processing
krishjainx [Thu, 14 Mar 2024 09:53:19 +0000 (05:53 -0400)]
Improve JSON output format for enhanced processing

8 months agoImprove the DEBUG_CREDENTIALS check
Alexander Popov [Mon, 11 Mar 2024 11:00:25 +0000 (14:00 +0300)]
Improve the DEBUG_CREDENTIALS check

Useful DEBUG_CREDENTIALS was dropped in v6.6.8

Refers to #97

8 months agoFix the false result of the REFCOUNT_FULL check for kernels > v5.4.208
Alexander Popov [Sun, 10 Mar 2024 00:00:24 +0000 (03:00 +0300)]
Fix the false result of the REFCOUNT_FULL check for kernels > v5.4.208

Refers to #88, #89

8 months agoHave to revert codecov back to v3
Alexander Popov [Sat, 9 Mar 2024 23:12:35 +0000 (02:12 +0300)]
Have to revert codecov back to v3

Details about the error:
https://github.com/codecov/codecov-action/issues/1292

8 months agoUpdate codecov-action
Alexander Popov [Sat, 9 Mar 2024 22:29:52 +0000 (01:29 +0300)]
Update codecov-action

This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```

8 months agoAdapt test_version() in the unittest
Alexander Popov [Sat, 9 Mar 2024 22:22:46 +0000 (01:22 +0300)]
Adapt test_version() in the unittest

Refers to #88, #89, #97

8 months agoCheck all 3 numbers of the kernel version in VersionCheck
Alexander Popov [Sat, 9 Mar 2024 20:46:51 +0000 (23:46 +0300)]
Check all 3 numbers of the kernel version in VersionCheck

Refers to #88, #89, #97

8 months agoFix the fresh set_state() bug found by unittest
Alexander Popov [Sat, 9 Mar 2024 21:41:49 +0000 (00:41 +0300)]
Fix the fresh set_state() bug found by unittest

This function should write 'self.state' anyway.

Refers to #88, #89, #97

8 months agoMake `python -m unittest` show the whole output
Alexander Popov [Sat, 9 Mar 2024 21:38:25 +0000 (00:38 +0300)]
Make `python -m unittest` show the whole output

8 months agoUpdate github actions
Alexander Popov [Sat, 9 Mar 2024 21:26:12 +0000 (00:26 +0300)]
Update github actions

This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```

8 months agoImplement the set_state() method of the check classes
Alexander Popov [Sat, 9 Mar 2024 18:53:47 +0000 (21:53 +0300)]
Implement the set_state() method of the check classes

Refers to #88, #89, #97

8 months agoUse 3 numbers in the VersionCheck constructor
Alexander Popov [Sat, 9 Mar 2024 18:16:30 +0000 (21:16 +0300)]
Use 3 numbers in the VersionCheck constructor

Refers to #88, #89, #97

8 months agoParse all numbers of the kernel version
Alexander Popov [Sat, 9 Mar 2024 17:27:08 +0000 (20:27 +0300)]
Parse all numbers of the kernel version

Refers to #88, #89, #97

8 months agoSkip the kernel version part after '-'
Alexander Popov [Sat, 9 Mar 2024 17:24:07 +0000 (20:24 +0300)]
Skip the kernel version part after '-'

Example:
# Linux/x86_64 6.7.4-200.fc39.x86_64 Kernel Configuration

Refers to #88, #89, #97

8 months agoAdd the ia32_emulation check
Alexander Popov [Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)]
Add the ia32_emulation check

Refers to #87 #112

8 months agoAdd MODULE_SIG_SHA3_512 as a valid option
Alexander Popov [Mon, 19 Feb 2024 12:25:09 +0000 (15:25 +0300)]
Add MODULE_SIG_SHA3_512 as a valid option

Refers to #107

8 months agoMake LOCKDOWN_LSM 'self_protection', not 'security_policy'
Alexander Popov [Sat, 17 Feb 2024 20:33:33 +0000 (23:33 +0300)]
Make LOCKDOWN_LSM 'self_protection', not 'security_policy'

9 months agoReady for the release 0.6.6 v0.6.6
Alexander Popov [Tue, 16 Jan 2024 22:55:02 +0000 (01:55 +0300)]
Ready for the release 0.6.6

9 months agoUpdate issues.md
Alexander Popov [Tue, 16 Jan 2024 22:54:40 +0000 (01:54 +0300)]
Update issues.md

9 months agoUpdate the README
Alexander Popov [Tue, 16 Jan 2024 22:30:43 +0000 (01:30 +0300)]
Update the README

9 months agoUpdate the Ubuntu example configs
Alexander Popov [Tue, 16 Jan 2024 22:20:39 +0000 (01:20 +0300)]
Update the Ubuntu example configs

9 months agoDon't print the warning about ARCH_MMAP_RND_BITS in the json mode
Alexander Popov [Tue, 16 Jan 2024 21:42:56 +0000 (00:42 +0300)]
Don't print the warning about ARCH_MMAP_RND_BITS in the json mode

9 months agoImprove the check of DEBUG_NOTIFIERS feature (part 2)
Alexander Popov [Tue, 16 Jan 2024 20:53:14 +0000 (23:53 +0300)]
Improve the check of DEBUG_NOTIFIERS feature (part 2)

CFI_PERMISSIVE should be disabled. Reacting with a kernel warning
is not enough.

Thanks to @thestinger for the idea.

Refers to #99.

9 months agoImprove the check of DEBUG_NOTIFIERS feature
Alexander Popov [Tue, 16 Jan 2024 20:31:11 +0000 (23:31 +0300)]
Improve the check of DEBUG_NOTIFIERS feature

This is what DEBUG_NOTIFIERS performs (see kernel/notifier.c):

```
#ifdef CONFIG_DEBUG_NOTIFIERS
if (unlikely(!func_ptr_is_kernel_text(nb->notifier_call))) {
WARN(1, "Invalid notifier called!");
nb = next_nb;
continue;
}
#endif
```

CFI can do the same better.

Thanks to @thestinger for the idea.

Refers to #99.

9 months agoImprove the check of SCHED_STACK_END_CHECK.
Alexander Popov [Tue, 16 Jan 2024 19:57:47 +0000 (22:57 +0300)]
Improve the check of SCHED_STACK_END_CHECK.

SCHED_STACK_END_CHECK checks the magic value at the end
of the kernel thread stack, and VMAP_STACK adds guard pages near it.
So they do a bit different things, but VMAP_STACK is more reliable.

Thanks to @thestinger for the idea.

Refers to #98.

9 months agoFix style (III)
Alexander Popov [Tue, 16 Jan 2024 17:33:58 +0000 (20:33 +0300)]
Fix style (III)

Use f-strings.

9 months agoFix style (II)
Alexander Popov [Tue, 16 Jan 2024 17:21:57 +0000 (20:21 +0300)]
Fix style (II)

9 months agoFix style (I)
Alexander Popov [Tue, 16 Jan 2024 17:20:41 +0000 (20:20 +0300)]
Fix style (I)

10 months agoDisable pylint too-many-locals, it's not useful for add_kconfig_checks()
Alexander Popov [Tue, 16 Jan 2024 08:30:39 +0000 (11:30 +0300)]
Disable pylint too-many-locals, it's not useful for add_kconfig_checks()

10 months agoFix pylint W0613: Unused argument 'arch'
Alexander Popov [Tue, 16 Jan 2024 08:26:27 +0000 (11:26 +0300)]
Fix pylint W0613: Unused argument 'arch'

10 months agoFix pylint E1101: Instance of 'OptCheck' has no 'type' member
Alexander Popov [Tue, 16 Jan 2024 04:24:32 +0000 (07:24 +0300)]
Fix pylint E1101: Instance of 'OptCheck' has no 'type' member

10 months agoFix pylint W0613: Unused argument 'mode'
Alexander Popov [Tue, 16 Jan 2024 04:18:40 +0000 (07:18 +0300)]
Fix pylint W0613: Unused argument 'mode'

10 months agoUpdate the NixOS configs
Alexander Popov [Mon, 15 Jan 2024 05:35:28 +0000 (08:35 +0300)]
Update the NixOS configs

10 months agoDon't add options without explicitly recommended values to Kconfig fragments
Alexander Popov [Sun, 14 Jan 2024 14:31:50 +0000 (17:31 +0300)]
Don't add options without explicitly recommended values to Kconfig fragments

That's important for the '--generate' mode.

10 months agoUBSAN_SANITIZE_ALL is now available for ARM
Alexander Popov [Sun, 14 Jan 2024 12:43:08 +0000 (15:43 +0300)]
UBSAN_SANITIZE_ALL is now available for ARM

10 months agoFix the order in the vdso32 check (part II)
Alexander Popov [Sat, 30 Dec 2023 20:44:34 +0000 (23:44 +0300)]
Fix the order in the vdso32 check (part II)

10 months agoFix the order in the vdso32 check
Alexander Popov [Sat, 30 Dec 2023 20:41:01 +0000 (23:41 +0300)]
Fix the order in the vdso32 check

10 months agoImprove the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
Alexander Popov [Sat, 30 Dec 2023 18:30:14 +0000 (21:30 +0300)]
Improve the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check

Don't check CONFIG_ARCH_MMAP_RND_BITS if CONFIG_ARCH_MMAP_RND_BITS_MAX
was not found.