support DEVMEM not set when considering STRICT_DEVMEM/IO_STRICT_DEVMEM

Detect STRICT_DEVMEM and IO_STRICT_DEVMEM as not being needed whenever DEVMEM is not set. Conflicts resolved by @a13xp0p0v

support DEVMEM not set when considering STRICT_DEVMEM/IO_STRICT_DEVMEM
Detect STRICT_DEVMEM and IO_STRICT_DEVMEM as not being needed whenever DEVMEM is not set. Conflicts resolved by @a13xp0p0v
660a4a5c · anthraxx · Alexander Popov · 885eca86 · 660a4a5c
Commit 660a4a5c authored Jun 26, 2018 by anthraxx Committed by Alexander Popov Jul 25, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

kconfig-hardened-check.py kconfig-hardened-check.py +4 -2

No files found.
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -93,6 +93,8 @@ class OR:
 def construct_opt_checks():
+    devmem_not_set = OptCheck('DEVMEM',                  'is not set', 'kspp', 'cut_attack_surface')
    checklist.append(OptCheck('BUG',                     'y', 'ubuntu18', 'self_protection'))
    checklist.append(OptCheck('PAGE_TABLE_ISOLATION',    'y', 'ubuntu18', 'self_protection'))
    checklist.append(OptCheck('RETPOLINE',               'y', 'ubuntu18', 'self_protection'))
@@ -146,7 +148,7 @@ def construct_opt_checks():
    checklist.append(OptCheck('SECCOMP',              'y', 'ubuntu18', 'cut_attack_surface'))
    checklist.append(OptCheck('SECCOMP_FILTER',       'y', 'ubuntu18', 'cut_attack_surface'))
-    checklist.append(OptCheck('STRICT_DEVMEM',        'y', 'ubuntu18', 'cut_attack_surface'))
+    checklist.append(OR(OptCheck('STRICT_DEVMEM',     'y', 'ubuntu18', 'cut_attack_surface'), devmem_not_set))
    checklist.append(OptCheck('ACPI_CUSTOM_METHOD',   'is not set', 'ubuntu18', 'cut_attack_surface'))
    checklist.append(OptCheck('COMPAT_BRK',           'is not set', 'ubuntu18', 'cut_attack_surface'))
    checklist.append(OptCheck('DEVKMEM',              'is not set', 'ubuntu18', 'cut_attack_surface'))
@@ -157,7 +159,7 @@ def construct_opt_checks():
    checklist.append(OptCheck('DEBUG_KMEMLEAK',       'is not set', 'ubuntu18', 'cut_attack_surface'))
    checklist.append(OptCheck('BINFMT_AOUT',          'is not set', 'ubuntu18', 'cut_attack_surface'))
-    checklist.append(OptCheck('IO_STRICT_DEVMEM',     'y', 'kspp', 'cut_attack_surface'))
+    checklist.append(OR(OptCheck('IO_STRICT_DEVMEM',  'y', 'kspp', 'cut_attack_surface'), devmem_not_set))
    checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none'
    checklist.append(OptCheck('BINFMT_MISC',          'is not set', 'kspp', 'cut_attack_surface'))
    checklist.append(OptCheck('INET_DIAG',            'is not set', 'kspp', 'cut_attack_surface'))