projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
31352cf
)
Add the ia32_emulation check
author
Alexander Popov
<alex.popov@linux.com>
Mon, 4 Mar 2024 20:00:49 +0000
(23:00 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Mon, 4 Mar 2024 20:00:49 +0000
(23:00 +0300)
Refers to #87 #112
kernel_hardening_checker/checks.py
patch
|
blob
|
history
diff --git
a/kernel_hardening_checker/checks.py
b/kernel_hardening_checker/checks.py
index 635f0c1b0868976d7d98100f393e47a92e8fec8d..b5ed92505e41f955597a5c90fc3cac5bd7dec6bd 100644
(file)
--- a/
kernel_hardening_checker/checks.py
+++ b/
kernel_hardening_checker/checks.py
@@
-570,6
+570,11
@@
def add_cmdline_checks(l, arch):
# 'cut_attack_surface', 'my'
l += [CmdlineCheck('cut_attack_surface', 'my', 'sysrq_always_enabled', 'is not set')]
# 'cut_attack_surface', 'my'
l += [CmdlineCheck('cut_attack_surface', 'my', 'sysrq_always_enabled', 'is not set')]
+ if arch == 'X86_64':
+ l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', '0'),
+ KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set'),
+ AND(KconfigCheck('cut_attack_surface', 'my', 'IA32_EMULATION_DEFAULT_DISABLED', 'y'),
+ CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', 'is not set')))]
# 'harden_userspace'
l += [CmdlineCheck('harden_userspace', 'defconfig', 'norandmaps', 'is not set')]
# 'harden_userspace'
l += [CmdlineCheck('harden_userspace', 'defconfig', 'norandmaps', 'is not set')]