Add the ia32_emulation check

author Alexander Popov <alex.popov@linux.com>

Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)

committer Alexander Popov <alex.popov@linux.com>

Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)
author Alexander Popov <alex.popov@linux.com>
Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)
committer Alexander Popov <alex.popov@linux.com>
Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py

index 635f0c1b0868976d7d98100f393e47a92e8fec8d..b5ed92505e41f955597a5c90fc3cac5bd7dec6bd 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -570,6 +570,11 @@ def add_cmdline_checks(l, arch):
  
      # 'cut_attack_surface', 'my'
      l += [CmdlineCheck('cut_attack_surface', 'my', 'sysrq_always_enabled', 'is not set')]
+    if arch == 'X86_64':
+        l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', '0'),
+                 KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set'),
+                 AND(KconfigCheck('cut_attack_surface', 'my', 'IA32_EMULATION_DEFAULT_DISABLED', 'y'),
+                     CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', 'is not set')))]
  
      # 'harden_userspace'
      l += [CmdlineCheck('harden_userspace', 'defconfig', 'norandmaps', 'is not set')]
author	Alexander Popov <alex.popov@linux.com>
	Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)