From d9aca2d28e9f95266bca2da09625d7d2c885a6b2 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Wed, 13 Mar 2019 00:46:32 +0300 Subject: [PATCH] Don't hide AND check results if the requirements are not met Report them as FAIL. Thanks to @Bernhard40 for this nice idea. --- README.md | 4 +++- kconfig-hardened-check.py | 13 ++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 87def68..97a8c86 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,8 @@ optional arguments: CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set" CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y" + CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed + CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection ||FAIL: CONFIG_PAGE_POISONING is needed CONFIG_SECURITY | y |defconfig | security_policy || OK CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK @@ -151,7 +153,7 @@ optional arguments: CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28" -[+] config check is finished: 'OK' - 43 / 'FAIL' - 58 +[+] config check is finished: 'OK' - 43 / 'FAIL' - 60 ``` __Go and fix them all!__ diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 64f6efb..f39995d 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -128,8 +128,8 @@ class AND(ComplexOptCheck): self.result = opt.result return ret, self.result elif not ret: - # The requirement is not met. Skip the check. - return False, '' + self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name) + return False, self.result sys.exit('[!] ERROR: invalid AND check') @@ -344,9 +344,8 @@ def print_check_results(): 'option name', 'desired val', 'decision', 'reason', 'check result')) print(' ' + '=' * 115) for opt in checklist: - if opt.result: - print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}||{:^28}'.format( - opt.name, opt.expected, opt.decision, opt.reason, opt.result)) + print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}||{:^28}'.format( + opt.name, opt.expected, opt.decision, opt.reason, opt.result)) print() @@ -422,8 +421,8 @@ if __name__ == '__main__': construct_checklist(arch) check_config_file(args.config) - error_count = len(list(filter(lambda opt: opt.result and opt.result.startswith('FAIL'), checklist))) - ok_count = len(list(filter(lambda opt: opt.result and opt.result.startswith('OK'), checklist))) + error_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), checklist))) + ok_count = len(list(filter(lambda opt: opt.result.startswith('OK'), checklist))) if debug_mode: sys.exit(0) print('[+] config check is finished: \'OK\' - {} / \'FAIL\' - {}'.format(ok_count, error_count)) -- 2.31.1