From 78675ceec3da0a4e99fe9cf5389078e50c14ef95 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Tue, 4 Jul 2023 14:20:20 +0300 Subject: [PATCH] Check disabling XFS_SUPPORT_V4 for cutting attack surface The XFS V4 format is deprecated: https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25 Quote: The V4 filesystem format lacks certain features that are supported by the V5 format, such as metadata checksumming, strengthened metadata verification, and the ability to store timestamps past the year 2038. Because of this, the V4 format is deprecated. All users should upgrade by backing up their files, reformatting, and restoring from the backup... To close off an attack surface, say N. --- kconfig_hardened_check/checks.py | 1 + 1 file changed, 1 insertion(+) diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 3a58c70..d857ad1 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -365,6 +365,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] -- 2.31.1