From b6ee2f57efa850213540ed0173e5eab2442a6e60 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Thu, 21 Jun 2018 00:09:12 +0300 Subject: [PATCH] Disable only CONFIG_USER_NS, not whole CONFIG_NAMESPACES Thanks to @Bernhard40 for the correction Signed-off-by: Alexander Popov --- README.md | 2 +- kconfig-hardened-check.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8c1af9b..b87801e 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y" - CONFIG_NAMESPACES | is not set | my | cut_attack_surface || FAIL: "y" + CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_KPROBES | is not set | my | cut_attack_surface || FAIL: "y" diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index a3612dc..a63df18 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -94,7 +94,7 @@ def construct_opt_list(): opt_list.append([Opt('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface'), '']) opt_list.append([Opt('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'), '']) - opt_list.append([Opt('NAMESPACES', 'is not set', 'my', 'cut_attack_surface'), '']) # user.max_user_namespaces=0 + opt_list.append([Opt('USER_NS', 'is not set', 'my', 'cut_attack_surface'), '']) # user.max_user_namespaces=0 opt_list.append([Opt('IP_DCCP', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('FTRACE', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('KPROBES', 'is not set', 'my', 'cut_attack_surface'), '']) -- 2.31.1