Add the LDISC_AUTOLOAD check

In fact we have a false positive here because the absence of the disabled CONFIG_LDISC_AUTOLOAD means FAIL (line disciplines are automatically loaded). TODO: Introduce a special check for this type of cases.

Add the LDISC_AUTOLOAD check
In fact we have a false positive here because the absence of the disabled CONFIG_LDISC_AUTOLOAD means FAIL (line disciplines are automatically loaded). TODO: Introduce a special check for this type of cases.
76f37eec · Alexander Popov · 4707be6d · 76f37eec · 76f37eec
Commit 76f37eec authored Jun 04, 2019 by Alexander Popov
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletions

README.md README.md +2 -1

kconfig-hardened-check.py kconfig-hardened-check.py +1 -0

No files found.
--- a/README.md
+++ b/README.md
@@ -164,6 +164,7 @@ CONFIG_X86_VSYSCALL_EMULATION           | is not set  |  clipos  | cut_attack_su
 CONFIG_MAGIC_SYSRQ                      | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_KEXEC_FILE                       | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_USER_NS                          | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
+CONFIG_LDISC_AUTOLOAD                   | is not set  |  clipos  | cut_attack_surface ||       OK: not found        
 CONFIG_MMIOTRACE                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_LIVEPATCH                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_IP_DCCP                          | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
@@ -172,7 +173,7 @@ CONFIG_FTRACE                           | is not set  |    my    | cut_attack_su
 CONFIG_BPF_JIT                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_ARCH_MMAP_RND_BITS               |     32      |  clipos  |userspace_protection||         FAIL: "28"         

-[+] config check is finished: 'OK' - 49 / 'FAIL' - 71
+[+] config check is finished: 'OK' - 50 / 'FAIL' - 71
 ```



--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -353,6 +353,7 @@ def construct_checklist(arch):
    checklist.append(OptCheck('MAGIC_SYSRQ',              'is not set', 'clipos', 'cut_attack_surface'))
    checklist.append(OptCheck('KEXEC_FILE',               'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
    checklist.append(OptCheck('USER_NS',                  'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0
+    checklist.append(OptCheck('LDISC_AUTOLOAD',           'is not set', 'clipos', 'cut_attack_surface'))

    checklist.append(OptCheck('MMIOTRACE',            'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
    checklist.append(OptCheck('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'))