kconfig-hardened-check.git
14 months agoAdjust test scripts to scrub ANSI colors from output 86/head
Frak [Tue, 12 Sep 2023 15:47:28 +0000 (11:47 -0400)]
Adjust test scripts to scrub ANSI colors from output

14 months agoFix pylints and verbose/None case
Frak [Mon, 11 Sep 2023 22:46:50 +0000 (18:46 -0400)]
Fix pylints and verbose/None case

14 months agofix typo
Frak [Sun, 10 Sep 2023 20:29:51 +0000 (16:29 -0400)]
fix typo

14 months agocleanup spaces
Frak [Sun, 10 Sep 2023 17:40:59 +0000 (13:40 -0400)]
cleanup spaces

14 months agocleanup
Frak [Sat, 9 Sep 2023 21:17:54 +0000 (17:17 -0400)]
cleanup

14 months agore-factoring
Frak [Sat, 9 Sep 2023 21:09:18 +0000 (17:09 -0400)]
re-factoring

14 months agoAdd colors for OK and FAIL cases
Frak [Sat, 9 Sep 2023 18:18:39 +0000 (14:18 -0400)]
Add colors for OK and FAIL cases

14 months agoFix arch conditions for some CmdlineChecks
Alexander Popov [Sun, 3 Sep 2023 20:41:26 +0000 (23:41 +0300)]
Fix arch conditions for some CmdlineChecks

By the way, don't add `if arch` for checks that require 'is not set'
(there is nothing wrong with that).

14 months agoMake the functional tests more informative
Alexander Popov [Mon, 28 Aug 2023 11:26:17 +0000 (14:26 +0300)]
Make the functional tests more informative

Drop `> /dev/null` for non-verbose output of the tool.

14 months agoTest more wrong combinations of options
Alexander Popov [Mon, 28 Aug 2023 11:20:13 +0000 (14:20 +0300)]
Test more wrong combinations of options

14 months agoTest checking sysctl separately
Alexander Popov [Mon, 28 Aug 2023 11:02:00 +0000 (14:02 +0300)]
Test checking sysctl separately

14 months agoSupport separate sysctl checking (without kconfig)
Alexander Popov [Sun, 27 Aug 2023 20:31:55 +0000 (23:31 +0300)]
Support separate sysctl checking (without kconfig)

15 months agoImprove coverage of the functional test a bit
Alexander Popov [Mon, 14 Aug 2023 20:47:09 +0000 (23:47 +0300)]
Improve coverage of the functional test a bit

15 months agoClean .gitignore
Alexander Popov [Mon, 14 Aug 2023 18:48:07 +0000 (21:48 +0300)]
Clean .gitignore

15 months agoShow git information in the functional test
Alexander Popov [Mon, 14 Aug 2023 16:42:15 +0000 (19:42 +0300)]
Show git information in the functional test

15 months agoTest an invalid sysctl file
Alexander Popov [Mon, 14 Aug 2023 15:56:39 +0000 (18:56 +0300)]
Test an invalid sysctl file

15 months agoTest an unexpected line in the sysctl file
Alexander Popov [Mon, 14 Aug 2023 15:56:13 +0000 (18:56 +0300)]
Test an unexpected line in the sysctl file

15 months agoTest an unexpected line in the Kconfig file
Alexander Popov [Mon, 14 Aug 2023 15:53:25 +0000 (18:53 +0300)]
Test an unexpected line in the Kconfig file

15 months agoDrop `if __name__ == "__main__"` from ./bin/kconfig-hardened-check
Alexander Popov [Mon, 14 Aug 2023 15:39:18 +0000 (18:39 +0300)]
Drop `if __name__ == "__main__"` from ./bin/kconfig-hardened-check

It always runs as a main program.

15 months agoTurn the warning about unexpected line in Kconfig file into an error
Alexander Popov [Mon, 14 Aug 2023 13:02:21 +0000 (16:02 +0300)]
Turn the warning about unexpected line in Kconfig file into an error

15 months agoUpdate the README (add the --sysctl mode)
Alexander Popov [Mon, 14 Aug 2023 12:22:34 +0000 (15:22 +0300)]
Update the README (add the --sysctl mode)

15 months agoAdd the Kconfig file of Fedora 38
Alexander Popov [Sun, 13 Aug 2023 21:22:57 +0000 (00:22 +0300)]
Add the Kconfig file of Fedora 38

15 months agoUse example_sysctls.txt in the functional test
Alexander Popov [Sun, 13 Aug 2023 21:08:22 +0000 (00:08 +0300)]
Use example_sysctls.txt in the functional test

This file was made with root privileges, so it has a full list of sysctls.

15 months agoAdd an example sysctl output file
Alexander Popov [Sun, 13 Aug 2023 20:59:26 +0000 (23:59 +0300)]
Add an example sysctl output file

15 months agoAdd the / symbol to the sysctl parsing pattern
Alexander Popov [Sun, 13 Aug 2023 19:39:11 +0000 (22:39 +0300)]
Add the / symbol to the sysctl parsing pattern

The GitHub Actions virtual machine has such a sysctl:
  fs.binfmt_misc.llvm-14-runtime/binfmt = enabled

This example shows that sysctl names may contain the / symbol.

15 months agoAdd --sysctl to functional testing
Alexander Popov [Sun, 13 Aug 2023 17:37:28 +0000 (20:37 +0300)]
Add --sysctl to functional testing

Refers to #65

15 months agoImprove checking the combinations of flags in the functional test
Alexander Popov [Sun, 13 Aug 2023 17:04:32 +0000 (20:04 +0300)]
Improve checking the combinations of flags in the functional test

15 months agoFix syntax to run on the Woodpecker 1.0.0 CI (part II)
Alexander Popov [Sun, 13 Aug 2023 16:54:42 +0000 (19:54 +0300)]
Fix syntax to run on the Woodpecker 1.0.0 CI (part II)

15 months agoFix syntax to run on the Woodpecker 1.0.0 CI
Alexander Popov [Sun, 13 Aug 2023 16:50:42 +0000 (19:50 +0300)]
Fix syntax to run on the Woodpecker 1.0.0 CI

15 months agoReport that --print and --generate can't be used together
Alexander Popov [Sun, 13 Aug 2023 16:49:08 +0000 (19:49 +0300)]
Report that --print and --generate can't be used together

15 months agoEnable sysctl checking
Alexander Popov [Sun, 13 Aug 2023 16:28:05 +0000 (19:28 +0300)]
Enable sysctl checking

Refers to #65

16 months agoCheck the kernel.unprivileged_bpf_disabled sysctl
Alexander Popov [Sun, 23 Jul 2023 21:24:36 +0000 (00:24 +0300)]
Check the kernel.unprivileged_bpf_disabled sysctl

16 months agoCheck the dev.tty.ldisc_autoload sysctl
Alexander Popov [Sun, 23 Jul 2023 21:24:06 +0000 (00:24 +0300)]
Check the dev.tty.ldisc_autoload sysctl

16 months agoCheck the user.max_user_namespaces sysctl
Alexander Popov [Sun, 23 Jul 2023 21:23:38 +0000 (00:23 +0300)]
Check the user.max_user_namespaces sysctl

16 months agoCheck the kernel.kexec_load_disabled sysctl
Alexander Popov [Sun, 23 Jul 2023 21:18:49 +0000 (00:18 +0300)]
Check the kernel.kexec_load_disabled sysctl

16 months agoCheck the kernel.perf_event_paranoid sysctl
Alexander Popov [Sun, 23 Jul 2023 21:17:44 +0000 (00:17 +0300)]
Check the kernel.perf_event_paranoid sysctl

16 months agoCheck the kernel.dmesg_restrict sysctl
Alexander Popov [Sun, 23 Jul 2023 21:15:57 +0000 (00:15 +0300)]
Check the kernel.dmesg_restrict sysctl

16 months agoCheck the net.core.bpf_jit_harden sysctl
Alexander Popov [Sun, 23 Jul 2023 21:14:45 +0000 (00:14 +0300)]
Check the net.core.bpf_jit_harden sysctl

16 months agotest_engine: use SysctlCheck in test_value_overriding()
Alexander Popov [Sun, 23 Jul 2023 17:09:05 +0000 (20:09 +0300)]
test_engine: use SysctlCheck in test_value_overriding()

16 months agotest_engine: use SysctlCheck in test_stdout()
Alexander Popov [Sun, 23 Jul 2023 16:57:28 +0000 (19:57 +0300)]
test_engine: use SysctlCheck in test_stdout()

16 months agotest_engine: implement test_simple_sysctl()
Alexander Popov [Sun, 23 Jul 2023 16:48:15 +0000 (19:48 +0300)]
test_engine: implement test_simple_sysctl()

16 months agotest_engine: support SysctlCheck
Alexander Popov [Sun, 23 Jul 2023 16:02:27 +0000 (19:02 +0300)]
test_engine: support SysctlCheck

16 months agoRefactor populate_opt_with_data()
Alexander Popov [Sat, 22 Jul 2023 21:44:17 +0000 (00:44 +0300)]
Refactor populate_opt_with_data()

Much better code, no functional changes

16 months agoMute warnings in the JSON mode and improve wording
Alexander Popov [Sun, 16 Jul 2023 21:15:47 +0000 (00:15 +0300)]
Mute warnings in the JSON mode and improve wording

16 months agoImplement parse_sysctl_file()
Alexander Popov [Sun, 16 Jul 2023 21:06:11 +0000 (00:06 +0300)]
Implement parse_sysctl_file()

Refers to #65

16 months agoDrop an obsolete error handling test
Alexander Popov [Sat, 15 Jul 2023 23:08:58 +0000 (02:08 +0300)]
Drop an obsolete error handling test

16 months agoFix the bug in the functional tests
Alexander Popov [Sat, 15 Jul 2023 22:52:18 +0000 (01:52 +0300)]
Fix the bug in the functional tests

`man 1 sh` says about '-e':
```
The shell does not exit if the command that fails is part of the command list
immediately following a while or until keyword, part of the test following
the if or elif reserved words, part of any command executed in a && or || list
except the command following the final && or ||, any command in a pipeline
but the last, or if the command's return value is being inverted with !.

That's why testing error handling in the functional tests didn't check
the exit status at all :(

Let's fix that.
Example before the fix:
! coverage run -a --branch bin/kconfig-hardened-check -l /proc/cmdline
Example after the fix:
coverage run -a --branch bin/kconfig-hardened-check -l /proc/cmdline && exit 1

16 months agoEmit WARNING for the cmdline options that exist multiple times
Alexander Popov [Sat, 15 Jul 2023 22:45:44 +0000 (01:45 +0300)]
Emit WARNING for the cmdline options that exist multiple times

Don't emit ERROR here. Even GitHub Actions machines have repeated options
in /proc/cmdline.

Also see the comment in cmdline parsing for x86:
https://elixir.bootlin.com/linux/v5.16.7/source/arch/x86/boot/cmdline.c#L21
```
In accordance with standard Linux practice, if this option is repeated,
this returns the last instance on the command line.
```

16 months agoPrecise the Kconfig parsing
Alexander Popov [Sat, 15 Jul 2023 19:58:17 +0000 (22:58 +0300)]
Precise the Kconfig parsing

16 months agoGet rid of useless regular expressions in detect_compiler()
Alexander Popov [Wed, 12 Jul 2023 16:41:09 +0000 (19:41 +0300)]
Get rid of useless regular expressions in detect_compiler()

16 months agoPrecise the regular expressions in detect_arch() and detect_kernel_version()
Alexander Popov [Wed, 12 Jul 2023 16:29:19 +0000 (19:29 +0300)]
Precise the regular expressions in detect_arch() and detect_kernel_version()

And fix the wording in the error message by the way.

16 months agoShow error if some cmdline option exists multiple times
Alexander Popov [Wed, 12 Jul 2023 08:11:27 +0000 (11:11 +0300)]
Show error if some cmdline option exists multiple times

16 months agoAdd the basic infrastructure for checking sysctl
Alexander Popov [Sat, 8 Jul 2023 21:18:28 +0000 (00:18 +0300)]
Add the basic infrastructure for checking sysctl

Refers to #65

16 months agoIntroduce the SysctlCheck class
Alexander Popov [Sat, 8 Jul 2023 20:40:49 +0000 (23:40 +0300)]
Introduce the SysctlCheck class

Refers to #65

16 months agoCheck disabling XFS_SUPPORT_V4 for cutting attack surface
Alexander Popov [Tue, 4 Jul 2023 11:20:20 +0000 (14:20 +0300)]
Check disabling XFS_SUPPORT_V4 for cutting attack surface

The XFS V4 format is deprecated:
https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25

Quote:
The V4 filesystem format lacks certain features that are supported
by the V5 format, such as metadata checksumming, strengthened
metadata verification, and the ability to store timestamps past the
year 2038. Because of this, the V4 format is deprecated. All users
should upgrade by backing up their files, reformatting, and restoring
from the backup... To close off an attack surface, say N.

16 months agoPrint the microarchitecture in --generate mode
Alexander Popov [Sun, 2 Jul 2023 19:55:36 +0000 (22:55 +0300)]
Print the microarchitecture in --generate mode

The Kconfig fragment should describe the microarchitecture to avoid mistakes.

17 months agoUpdate the README
Alexander Popov [Sun, 25 Jun 2023 08:51:26 +0000 (11:51 +0300)]
Update the README

17 months agoAdd the info about /proc/cmdline to the usage help
Alexander Popov [Sun, 25 Jun 2023 08:51:02 +0000 (11:51 +0300)]
Add the info about /proc/cmdline to the usage help

I tested CONFIG_CMDLINE and CONFIG_BOOT_CONFIG mechanisms.
They allow passing additional boot parameters for the Linux kernel.

I see that all boot parameters are collected in /proc/cmdline.

So /proc/cmdline is the only information source that we should check to
analyze the Linux kernel boot parameters.

17 months agosetup: fix "The license_file parameter is deprecated"
Alexander Popov [Sun, 18 Jun 2023 23:07:13 +0000 (02:07 +0300)]
setup: fix "The license_file parameter is deprecated"

Use 'license_files' instead.

17 months agosetup: Don't use the automatic "find_namespace:" discovery
Alexander Popov [Sun, 18 Jun 2023 22:11:20 +0000 (01:11 +0300)]
setup: Don't use the automatic "find_namespace:" discovery

This automatic discovery doesn't fit to the flat layout of my package
(without the "src" directory).

Instead, let's specify the "packages" explicitly in setup.cfg.

17 months agosetup: Fix the warning "Package would be ignored"
Alexander Popov [Sun, 18 Jun 2023 21:42:53 +0000 (00:42 +0300)]
setup: Fix the warning "Package would be ignored"

The warning:
  ############################
  # Package would be ignored #
  ############################
  Python recognizes 'kconfig_hardened_check.config_files.distros' as an importable package,
  but it is not listed in the `packages` configuration of setuptools.

  'kconfig_hardened_check.config_files.distros' has been automatically added to the distribution only
  because it may contain data files, but this behavior is likely to change
  in future versions of setuptools (and therefore is considered deprecated).

  Please make sure that 'kconfig_hardened_check.config_files.distros' is included as a package by using
  the `packages` configuration field or the proper discovery methods
  (for example by using `find_namespace_packages(...)`/`find_namespace:`
  instead of `find_packages(...)`/`find:`).

So let's use "find_namespace:" for package directory to include
the package data. More info in the documentation:
https://setuptools.pypa.io/en/latest/userguide/package_discovery.html#finding-namespace-packages

17 months agosetup: Drop obsolete zip_safe flag
Alexander Popov [Sun, 18 Jun 2023 21:35:10 +0000 (00:35 +0300)]
setup: Drop obsolete zip_safe flag

More info in the documentation:
https://setuptools.pypa.io/en/latest/deprecated/zip_safe.html

And fix style by the way.

17 months agoMove the draft of the security hardening sysctls to a proper place
Alexander Popov [Sat, 17 Jun 2023 17:15:06 +0000 (20:15 +0300)]
Move the draft of the security hardening sysctls to a proper place

Refers to #65

17 months agoImprove normalize_cmdline_options()
Alexander Popov [Sat, 17 Jun 2023 15:58:05 +0000 (18:58 +0300)]
Improve normalize_cmdline_options()

17 months agoGitHub Actions: decrease the max-parallel to 1 to avoid the codecov rate limit
Alexander Popov [Mon, 12 Jun 2023 15:28:42 +0000 (18:28 +0300)]
GitHub Actions: decrease the max-parallel to 1 to avoid the codecov rate limit

17 months agoAdd functional tests for --generate
Alexander Popov [Mon, 12 Jun 2023 14:59:50 +0000 (17:59 +0300)]
Add functional tests for --generate

Refers to #67.

17 months agoUpdate the README
Alexander Popov [Mon, 12 Jun 2023 14:46:25 +0000 (17:46 +0300)]
Update the README

Refers to #67.

17 months agoAdd a new feature --generate
Alexander Popov [Mon, 12 Jun 2023 14:40:50 +0000 (17:40 +0300)]
Add a new feature --generate

With this argument the tool generates a Kconfig fragment with the security
hardening options for the selected microarchitecture.

Refers to #67.

This Kconfig fragment can be merged with the existing Linux kernel config:

$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
...

17 months agoRefactoring of the argument parsing
Alexander Popov [Mon, 12 Jun 2023 13:50:54 +0000 (16:50 +0300)]
Refactoring of the argument parsing

17 months agoImprove the comments and README (part II)
Alexander Popov [Mon, 12 Jun 2023 13:26:12 +0000 (16:26 +0300)]
Improve the comments and README (part II)

17 months agoSkip normalize_cmdline_options() for the vdso32 and vdso cmdline parameters
Alexander Popov [Mon, 12 Jun 2023 12:55:41 +0000 (15:55 +0300)]
Skip normalize_cmdline_options() for the vdso32 and vdso cmdline parameters

See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c

17 months agoSkip normalize_cmdline_options() for the vsyscall cmdline parameter
Alexander Popov [Mon, 12 Jun 2023 12:45:56 +0000 (15:45 +0300)]
Skip normalize_cmdline_options() for the vsyscall cmdline parameter

See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c

17 months agoSkip normalize_cmdline_options() for the iommu cmdline parameter
Alexander Popov [Mon, 12 Jun 2023 12:43:05 +0000 (15:43 +0300)]
Skip normalize_cmdline_options() for the iommu cmdline parameter

See iommu_setup() in arch/x86/kernel/pci-dma.c

17 months agoSkip normalize_cmdline_options() for the slub_debug cmdline parameter
Alexander Popov [Mon, 12 Jun 2023 12:00:32 +0000 (15:00 +0300)]
Skip normalize_cmdline_options() for the slub_debug cmdline parameter

See setup_slub_debug() in mm/slub.c

17 months agoImprove the comments and README
Alexander Popov [Mon, 12 Jun 2023 11:37:42 +0000 (14:37 +0300)]
Improve the comments and README

17 months agoSkip normalize_cmdline_options() for the rodata cmdline parameter
Alexander Popov [Mon, 5 Jun 2023 20:48:34 +0000 (23:48 +0300)]
Skip normalize_cmdline_options() for the rodata cmdline parameter

Also fix the rodata check (change '1' to 'on').

See set_debug_rodata() in init/main.c.

17 months agoSkip normalize_cmdline_options() for the ssbd cmdline parameter
Alexander Popov [Mon, 5 Jun 2023 20:44:42 +0000 (23:44 +0300)]
Skip normalize_cmdline_options() for the ssbd cmdline parameter

See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c

17 months agoAdd a comment about cfi boot parameter
Alexander Popov [Sun, 28 May 2023 23:07:50 +0000 (02:07 +0300)]
Add a comment about cfi boot parameter

17 months agoAdd the X86_KERNEL_IBT check
Alexander Popov [Sun, 28 May 2023 22:56:14 +0000 (01:56 +0300)]
Add the X86_KERNEL_IBT check

Now it's enabled by default for X86_64.

17 months agoAdd a comment about `kernel.oops_limit` and `kernel.warn_limit` sysctls
Alexander Popov [Sun, 28 May 2023 22:16:12 +0000 (01:16 +0300)]
Add a comment about `kernel.oops_limit` and `kernel.warn_limit` sysctls

17 months agoAdd a comment about `kernel.unprivileged_userns_clone` sysctl in Debian
Alexander Popov [Sat, 27 May 2023 07:05:10 +0000 (10:05 +0300)]
Add a comment about `kernel.unprivileged_userns_clone` sysctl in Debian

17 months agoAdd the comments about HARDENED_USERCOPY features
Alexander Popov [Sat, 27 May 2023 05:50:35 +0000 (08:50 +0300)]
Add the comments about HARDENED_USERCOPY features

18 months agoFix CI output style and move `pip install coverage` to the proper place
Alexander Popov [Tue, 9 May 2023 22:18:14 +0000 (01:18 +0300)]
Fix CI output style and move `pip install coverage` to the proper place

18 months agoUse .github/workflows/functional_test.sh in GitHub Actions (like in Woodpecker-CI)
Alexander Popov [Mon, 8 May 2023 19:02:23 +0000 (22:02 +0300)]
Use .github/workflows/functional_test.sh in GitHub Actions (like in Woodpecker-CI)

Now functional_test.sh is a common script used both in GitHub Actions
and Woodpecker-CI.

And also test the forgotten .gz kernel config.

18 months agoRun the functional tests and collect the coverage in Woodpecker-CI
Alexander Popov [Mon, 8 May 2023 17:33:44 +0000 (20:33 +0300)]
Run the functional tests and collect the coverage in Woodpecker-CI

18 months agoCheck all configs with the installed tool the functional test in Woodpecker-CI
Alexander Popov [Mon, 8 May 2023 17:01:54 +0000 (20:01 +0300)]
Check all configs with the installed tool the functional test in Woodpecker-CI

18 months agoTest the package installation in the functional test in Woodpecker-CI
Alexander Popov [Mon, 8 May 2023 12:27:18 +0000 (15:27 +0300)]
Test the package installation in the functional test in Woodpecker-CI

18 months agoRun the engine unit-test in Woodpecker-CI
Alexander Popov [Sun, 7 May 2023 21:21:58 +0000 (00:21 +0300)]
Run the engine unit-test in Woodpecker-CI

18 months agoCreate multiple pipelines for Woodpecker-CI at Codeberg
Alexander Popov [Sun, 7 May 2023 18:02:01 +0000 (21:02 +0300)]
Create multiple pipelines for Woodpecker-CI at Codeberg

18 months agoCreate a configuration template for Codeberg CI (.woodpecker.yml)
Alexander Popov [Sun, 7 May 2023 17:28:45 +0000 (20:28 +0300)]
Create a configuration template for Codeberg CI (.woodpecker.yml)

18 months agoAdd the checks for vdso32 and vdso on X86_64 and X86_32
Alexander Popov [Mon, 1 May 2023 18:24:09 +0000 (21:24 +0300)]
Add the checks for vdso32 and vdso on X86_64 and X86_32

We need to check them because these kernel cmdline parameters can
override the COMPAT_VDSO kconfig option.

18 months agoImprove the COMPAT_VDSO check
Alexander Popov [Sun, 30 Apr 2023 22:16:03 +0000 (01:16 +0300)]
Improve the COMPAT_VDSO check

CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32.
On ARM64 this option has different meaning (see the mainline commit
7c4791c9efca8c105a86022f7d5532aeaa819125).

Thanks to @izh1979 for the idea

18 months agoImprove the vsyscall checks
Alexander Popov [Sun, 30 Apr 2023 20:36:55 +0000 (23:36 +0300)]
Improve the vsyscall checks

Disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, and
LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter.

Thanks to @izh1979 for the idea

18 months agoAdd the comment about kernel.sysrq=0
Alexander Popov [Sun, 30 Apr 2023 19:51:08 +0000 (22:51 +0300)]
Add the comment about kernel.sysrq=0

19 months agoMake hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
Alexander Popov [Sat, 22 Apr 2023 23:00:31 +0000 (02:00 +0300)]
Make hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check

Use new override_expected_value() for that.

This is needed to avoid wrong recommendations for ARM64 and ARM, where
CONFIG_ARCH_MMAP_RND_BITS_MAX depends on the paging configuration.

19 months agotest_engine: add test_value_overriding()
Alexander Popov [Sat, 22 Apr 2023 22:42:59 +0000 (01:42 +0300)]
test_engine: add test_value_overriding()

19 months agoengine: implement override_expected_value()
Alexander Popov [Sat, 22 Apr 2023 22:23:38 +0000 (01:23 +0300)]
engine: implement override_expected_value()

19 months agoRequire one of major LSMs implementing MAC
Alexander Popov [Sat, 22 Apr 2023 15:51:26 +0000 (18:51 +0300)]
Require one of major LSMs implementing MAC

SELinux, Smack, Tomoyo, and AppArmor implement Mandatory Access Control (MAC).

Thanks to @izh1979 for the idea

19 months agoAdd the norandmaps check
Alexander Popov [Sat, 22 Apr 2023 15:03:15 +0000 (18:03 +0300)]
Add the norandmaps check

Thanks to @izh1979 for the idea

19 months agoCheck that CoreSight Tracing Support is disabled (to cut attack surface)
Alexander Popov [Sat, 22 Apr 2023 14:50:25 +0000 (17:50 +0300)]
Check that CoreSight Tracing Support is disabled (to cut attack surface)

The CONFIG_CORESIGHT framework provides a kernel interface for the
CoreSight debug and trace drivers for ARM/ARM64. It's better to have it
disabled to cut attack surface.