From 5c67369249f22690efe4c96c54ef6b0bd0496c13 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Fri, 10 Jan 2020 17:41:14 +0300
Subject: [PATCH] Take some ideas from NixOS/nixpkgs hardened kernel config

Add CONFIG_SECURITY_SAFESETID (y) and CONFIG_SECURITY_WRITABLE_HOOKS (n).

Refers to the pull request #27.
---
 README.md                 | 4 +++-
 kconfig-hardened-check.py | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b0074b6..c5fdfb1 100644
--- a/README.md
+++ b/README.md
@@ -115,11 +115,13 @@ CONFIG_PAGE_POISONING_NO_SANITY              | is not set  |    my    |  self_pr
 CONFIG_PAGE_POISONING_ZERO                   | is not set  |    my    |  self_protection   |   FAIL: CONFIG_PAGE_POISONING is needed
 CONFIG_AMD_IOMMU_V2                          |      y      |    my    |  self_protection   |   FAIL: "m"
 CONFIG_SECURITY                              |      y      |defconfig |  security_policy   |   OK
+CONFIG_SECURITY_WRITABLE_HOOKS               | is not set  |defconfig |  security_policy   |   OK
 CONFIG_SECURITY_YAMA                         |      y      |   kspp   |  security_policy   |   OK
 CONFIG_SECURITY_LOADPIN                      |      y      |    my    |  security_policy   |   FAIL: "is not set"
 CONFIG_SECURITY_LOCKDOWN_LSM                 |      y      |    my    |  security_policy   |   FAIL: not found
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY           |      y      |    my    |  security_policy   |   FAIL: not found
 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|      y      |    my    |  security_policy   |   FAIL: not found
+CONFIG_SECURITY_SAFESETID                    |      y      |    my    |  security_policy   |   FAIL: not found
 CONFIG_SECCOMP                               |      y      |defconfig | cut_attack_surface |   OK
 CONFIG_SECCOMP_FILTER                        |      y      |defconfig | cut_attack_surface |   OK
 CONFIG_STRICT_DEVMEM                         |      y      |defconfig | cut_attack_surface |   OK
@@ -178,7 +180,7 @@ CONFIG_FTRACE                                | is not set  |    my    | cut_atta
 CONFIG_BPF_JIT                               | is not set  |    my    | cut_attack_surface |   FAIL: "y"
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
-[+] config check is finished: 'OK' - 48 / 'FAIL' - 75
+[+] config check is finished: 'OK' - 49 / 'FAIL' - 76
 ```
 
 ## kconfig-hardened-check versioning
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index f9f412e..2448717 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -301,11 +301,13 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('SECURITY',                               'y', 'defconfig', 'security_policy')) # and choose your favourite LSM
     if debug_mode or arch == 'ARM':
         checklist.append(OptCheck('SECURITY',                               'y', 'kspp', 'security_policy')) # and choose your favourite LSM
+    checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS',                'is not set', 'defconfig', 'security_policy'))
     checklist.append(OptCheck('SECURITY_YAMA',                          'y', 'kspp', 'security_policy'))
     checklist.append(OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy')) # needs userspace support
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM',                  'y', 'my', 'security_policy'))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY',            'y', 'my', 'security_policy'))
     checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))
+    checklist.append(OptCheck('SECURITY_SAFESETID',                     'y', 'my', 'security_policy'))
 
     checklist.append(OptCheck('SECCOMP',              'y', 'defconfig', 'cut_attack_surface'))
     checklist.append(OptCheck('SECCOMP_FILTER',       'y', 'defconfig', 'cut_attack_surface'))
-- 
2.31.1