Fix the 'decision' for the LEGACY_TIOCSTI check

[kconfig-hardened-check.git] / kernel_hardening_checker / checks.py

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 5943e531fa192a0e5dfb5c7e9ad3a11cc1de745d..7c3d033adba4a485f9b2d4e0497e37b2f425bf2e 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -229,6 +229,9 @@ def add_kconfig_checks(l, arch):
     # 'self_protection', 'clipos'
     l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
 
+    # 'self_protection', 'my'
+    l += [KconfigCheck('self_protection', 'my', 'LIST_HARDENED', 'y')]
+
     # 'security_policy'
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')]
@@ -277,6 +280,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_MSR', 'is not set')] # refers to LOCKDOWN
+    l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_TIOCSTI', 'is not set')]
     l += [modules_not_set]
     l += [devmem_not_set]
     l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'),
@@ -366,7 +370,6 @@ def add_kconfig_checks(l, arch):
     l += [bpf_syscall_not_set] # refers to LOCKDOWN
 
     # 'cut_attack_surface', 'my'
-    l += [KconfigCheck('cut_attack_surface', 'my', 'LEGACY_TIOCSTI', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
     l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]