From 24c1a906d96f77202837e90d4b1f9f5d9933e1b9 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 9 Nov 2024 20:43:57 +0300 Subject: [PATCH] Check either CONFIG_LIST_HARDENED or CONFIG_DEBUG_LIST Refers to #166. Thanks to @thestinger. --- kernel_hardening_checker/checks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 4a4f981..0235d37 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -140,7 +140,6 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')] # 'self_protection', 'kspp' - l += [KconfigCheck('self_protection', 'kspp', 'LIST_HARDENED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'RANDOM_KMALLOC_CACHES', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_MERGE_DEFAULT', 'is not set')] l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] @@ -148,7 +147,6 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')] - l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_VIRTUAL', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] @@ -157,6 +155,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] + l += [OR(KconfigCheck('self_protection', 'kspp', 'LIST_HARDENED', 'y'), + KconfigCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y'))] cfi_clang_is_set = KconfigCheck('self_protection', 'kspp', 'CFI_CLANG', 'y') cfi_clang_permissive_not_set = KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set') l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y'), -- 2.31.1