Merge branch 'from-hackurx-1'

75cfda0e · Alexander Popov · 5336858f · 6c8d514e · 75cfda0e · 75cfda0e
Commit 75cfda0e authored Jul 20, 2018 by Alexander Popov
8 changed files
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]

 ### Script output for `Ubuntu 18.04 (Bionic Beaver)` kernel config
 ```
-./kconfig-hardened-check.py -c ubuntu-bionic-generic.config
+./kconfig-hardened-check.py -c config_files/ubuntu-bionic-generic.config
 [+] Checking "ubuntu-bionic-generic.config" against hardening preferences...
  option name                            | desired val | decision |       reason       ||    check result    
  ===========================================================================================================
@@ -91,6 +91,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
  CONFIG_ZSMALLOC_STAT                   | is not set  | ubuntu18 | cut_attack_surface ||         OK         
  CONFIG_PAGE_OWNER                      | is not set  | ubuntu18 | cut_attack_surface ||         OK         
  CONFIG_DEBUG_KMEMLEAK                  | is not set  | ubuntu18 | cut_attack_surface ||         OK         
+  CONFIG_BINFMT_AOUT                     | is not set  | ubuntu18 | cut_attack_surface ||   OK: not found    
  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface || FAIL: "is not set" 
  CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface || FAIL: "is not set" 
  CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||     FAIL: "m"      

--- a/config_files/Alpinelinux-edge.config
+++ b/config_files/Alpinelinux-edge.config
--- a/config_files/Archlinux-Testing.config
+++ b/config_files/Archlinux-Testing.config
--- a/config_files/Archlinux-hardened.config
+++ b/config_files/Archlinux-hardened.config
--- a/config_files/debian-sid-amd64.config
+++ b/config_files/debian-sid-amd64.config
--- a/oracle-uek5.config
+++ b/oracle-uek5.config
--- a/ubuntu-bionic-generic.config
+++ b/ubuntu-bionic-generic.config
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -112,6 +112,7 @@ def construct_opt_checks():
    checklist.append(OptCheck('ZSMALLOC_STAT',        'is not set', 'ubuntu18', 'cut_attack_surface'))
    checklist.append(OptCheck('PAGE_OWNER',           'is not set', 'ubuntu18', 'cut_attack_surface'))
    checklist.append(OptCheck('DEBUG_KMEMLEAK',       'is not set', 'ubuntu18', 'cut_attack_surface'))
+    checklist.append(OptCheck('BINFMT_AOUT',          'is not set', 'ubuntu18', 'cut_attack_surface'))

    checklist.append(OptCheck('IO_STRICT_DEVMEM',     'y', 'kspp', 'cut_attack_surface'))
    checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none'