Add the LDISC_AUTOLOAD check

In fact we have a false positive here because the absence
of the disabled CONFIG_LDISC_AUTOLOAD means FAIL (line
disciplines are automatically loaded).

TODO: Introduce a special check for this type of cases.

diff --git a/README.md b/README.md
index 60efeb7e33cad7eca74c21f68f080d7fa1ec8648..3f661fd4cbc95d1d4e30163db068195328a56713 100644 (file)
--- a/README.md
+++ b/README.md
@@ -164,6 +164,7 @@ CONFIG_X86_VSYSCALL_EMULATION           | is not set  |  clipos  | cut_attack_su
 CONFIG_MAGIC_SYSRQ                      | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_KEXEC_FILE                       | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_USER_NS                          | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
+CONFIG_LDISC_AUTOLOAD                   | is not set  |  clipos  | cut_attack_surface ||       OK: not found        
 CONFIG_MMIOTRACE                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_LIVEPATCH                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_IP_DCCP                          | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
@@ -172,7 +173,7 @@ CONFIG_FTRACE                           | is not set  |    my    | cut_attack_su
 CONFIG_BPF_JIT                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_ARCH_MMAP_RND_BITS               |     32      |  clipos  |userspace_protection||         FAIL: "28"         
 
-[+] config check is finished: 'OK' - 49 / 'FAIL' - 71
+[+] config check is finished: 'OK' - 50 / 'FAIL' - 71
 ```
 
 

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 75f8cfd5bd85e5aa8bb0d32979429cd8cf226b38..cb59e39402ddb6d82edc5f4d6db39bc9e9197c59 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -353,6 +353,7 @@ def construct_checklist(arch):
     checklist.append(OptCheck('MAGIC_SYSRQ',              'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(OptCheck('KEXEC_FILE',               'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('USER_NS',                  'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0
+    checklist.append(OptCheck('LDISC_AUTOLOAD',           'is not set', 'clipos', 'cut_attack_surface'))
 
     checklist.append(OptCheck('MMIOTRACE',            'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
     checklist.append(OptCheck('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'))