From f83356945fc9155a429afe7c2519347b2bb07073 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 3 Jun 2019 20:19:02 +0300 Subject: [PATCH] Add arch-independent CLIP OS recommendations for kernel self-protection Refers to the issue #19 by @HacKurx --- kconfig-hardened-check.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 4c53b15..bee2953 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -204,7 +204,8 @@ def construct_checklist(arch): checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('GCC_PLUGINS', 'y', 'kspp', 'self_protection')) - checklist.append(OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection')) + randstruct_is_set = OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection') + checklist.append(randstruct_is_set) checklist.append(OptCheck('GCC_PLUGIN_STRUCTLEAK', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection')) checklist.append(OptCheck('GCC_PLUGIN_LATENT_ENTROPY', 'y', 'kspp', 'self_protection')) @@ -239,6 +240,10 @@ def construct_checklist(arch): checklist.append(OptCheck('SYN_COOKIES', 'y', 'kspp', 'self_protection')) # another reason? checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '32768', 'kspp', 'self_protection')) + checklist.append(OptCheck('DEBUG_VIRTUAL', 'y', 'clipos', 'self_protection')) + checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \ + randstruct_is_set)) + if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32': stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection') checklist.append(stackleak_is_set) -- 2.31.1