From c16ffaf97c36f1d192a04138ac488833083354d9 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 1 Sep 2024 17:52:00 +0300 Subject: [PATCH] Remove `if arch` for the X86_VSYSCALL_EMULATION check It requires 'is not set' anyway. --- kernel_hardening_checker/checks.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 96da7bf..48f53ef 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -339,15 +339,14 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: devmem_not_set)] # refers to LOCKDOWN l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'), KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))] + l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'), + KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))] + # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, + # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter if arch in ('X86_64', 'X86_32'): l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32; # on ARM64 this option has different meaning - if arch == 'X86_64': - l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'), - KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))] - # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, - # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter if arch == 'ARM': l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN -- 2.31.1