From 4444a0b7ca1413eaf99b0f8023e0e4f805724e7e Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Fri, 22 Apr 2022 12:34:49 +0300 Subject: [PATCH] Separate out checking SECURITY_WRITABLE_HOOKS and SECURITY_SELINUX_DISABLE Thanks to @izh1979 for the idea. Combining these checks with OR is not correct. --- kconfig_hardened_check/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 07b467e..e3488fd 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -493,11 +493,11 @@ def add_kconfig_checks(l, arch): if arch == 'ARM': l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] - l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'), - KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] + l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') l += [loadpin_is_set] # needs userspace support -- 2.31.1