From 2dd3074016dc9e370faeae6fdaab529eb3373226 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Tue, 17 Mar 2020 20:41:26 +0300 Subject: [PATCH] SECURITY_LOCKDOWN_LSM is recommended by CLIP OS --- kconfig-hardened-check.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index dd7b30e..c7eab1b 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -14,7 +14,6 @@ # slub_debug=FZP # slab_nomerge # kernel.kptr_restrict=1 -# lockdown=1 (is it changed?) # page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) # page_poison=1 (if enabled) @@ -347,13 +346,13 @@ def construct_checklist(checklist, arch): if arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy')) loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support checklist.append(loadpin_is_set) checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ loadpin_is_set)) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy')) -- 2.31.1