From 9bbea5b5bad45aac84aadf83536e31f9bd5e395e Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 23 Apr 2023 02:00:31 +0300 Subject: [PATCH] Make hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check Use new override_expected_value() for that. This is needed to avoid wrong recommendations for ARM64 and ARM, where CONFIG_ARCH_MMAP_RND_BITS_MAX depends on the paging configuration. --- kconfig_hardened_check/__init__.py | 7 ++++++- kconfig_hardened_check/checks.py | 6 ++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 4aa0347..cdb0828 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -20,7 +20,7 @@ import re import json from .__about__ import __version__ from .checks import add_kconfig_checks, add_cmdline_checks, normalize_cmdline_options -from .engine import populate_with_data, perform_checks +from .engine import populate_with_data, perform_checks, override_expected_value def _open(file: str, *args, **kwargs): @@ -277,6 +277,11 @@ def main(): parse_cmdline_file(parsed_cmdline_options, args.cmdline) populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline') + # hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check + mmap_rnd_bits_max = parsed_kconfig_options.get('CONFIG_ARCH_MMAP_RND_BITS_MAX', None) + if mmap_rnd_bits_max: + override_expected_value(config_checklist, 'CONFIG_ARCH_MMAP_RND_BITS', mmap_rnd_bits_max) + # now everything is ready, perform the checks perform_checks(config_checklist) diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index b24b9f8..850edd2 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -34,6 +34,7 @@ This module contains knowledge for checks. # kernel.randomize_va_space=2 # nosmt sysfs control file # dev.tty.legacy_tiocsti=0 +# vm.mmap_rnd_bits=max (?) # # Think of these boot params: # module.sig_enforce=1 @@ -404,10 +405,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')] if arch in ('ARM', 'X86_32'): l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] - if arch in ('X86_64', 'ARM64'): - l += [KconfigCheck('harden_userspace', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] - if arch in ('X86_32', 'ARM'): - l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')] + l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX def add_cmdline_checks(l, arch): -- 2.31.1