From 22728555223c98630180c2f642cc7e369424bd8a Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 1 May 2023 01:16:03 +0300 Subject: [PATCH] Improve the COMPAT_VDSO check CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32. On ARM64 this option has different meaning (see the mainline commit 7c4791c9efca8c105a86022f7d5532aeaa819125). Thanks to @izh1979 for the idea --- kconfig_hardened_check/checks.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index cc71ef1..43a4c64 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -288,7 +288,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN @@ -308,6 +307,10 @@ def add_kconfig_checks(l, arch): devmem_not_set)] # refers to LOCKDOWN l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'), KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))] + if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] + # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32; + # on ARM64 this option has different meaning if arch == 'ARM': l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN -- 2.31.1