projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 940be27)
Check disabling XFS_SUPPORT_V4 for cutting attack surface
authorAlexander Popov <alex.popov@linux.com>
Tue, 4 Jul 2023 11:20:20 +0000 (14:20 +0300)
committerAlexander Popov <alex.popov@linux.com>
Tue, 4 Jul 2023 11:20:20 +0000 (14:20 +0300)
The XFS V4 format is deprecated:
https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25

Quote:
The V4 filesystem format lacks certain features that are supported
by the V5 format, such as metadata checksumming, strengthened
metadata verification, and the ability to store timestamps past the
year 2038. Because of this, the V4 format is deprecated. All users
should upgrade by backing up their files, reformatting, and restoring
from the backup... To close off an attack surface, say N.

kconfig_hardened_check/checks.py patch | blob | history

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 3a58c7034683a4e90d9d78b28ea146717898a313..d857ad132c5658f04641564208920c0feea2a95e 100644 (file)
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -365,6 +365,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')]
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
 
kconfig-hardened-check