Make hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check

Use new override_expected_value() for that. This is needed to avoid wrong recommendations for ARM64 and ARM, where CONFIG_ARCH_MMAP_RND_BITS_MAX depends on the paging configuration.

Make hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
Use new override_expected_value() for that. This is needed to avoid wrong recommendations for ARM64 and ARM, where CONFIG_ARCH_MMAP_RND_BITS_MAX depends on the paging configuration.
9bbea5b5 · Alexander Popov · 7194de8d · 9bbea5b5 · 9bbea5b5
Commit 9bbea5b5 authored Apr 23, 2023 by Alexander Popov
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 5 deletions

__init__.py kconfig_hardened_check/__init__.py +6 -1

checks.py kconfig_hardened_check/checks.py +2 -4

No files found.
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -20,7 +20,7 @@ import re
 import json
 from .__about__ import __version__
 from .checks import add_kconfig_checks, add_cmdline_checks, normalize_cmdline_options
-from .engine import populate_with_data, perform_checks
+from .engine import populate_with_data, perform_checks, override_expected_value


 def _open(file: str, *args, **kwargs):
@@ -277,6 +277,11 @@ def main():
            parse_cmdline_file(parsed_cmdline_options, args.cmdline)
            populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline')

+        # hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
+        mmap_rnd_bits_max = parsed_kconfig_options.get('CONFIG_ARCH_MMAP_RND_BITS_MAX', None)
+        if mmap_rnd_bits_max:
+            override_expected_value(config_checklist, 'CONFIG_ARCH_MMAP_RND_BITS', mmap_rnd_bits_max)
+
        # now everything is ready, perform the checks
        perform_checks(config_checklist)


--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -34,6 +34,7 @@ This module contains knowledge for checks.
 #    kernel.randomize_va_space=2
 #    nosmt sysfs control file
 #    dev.tty.legacy_tiocsti=0
+#    vm.mmap_rnd_bits=max (?)
 #
 # Think of these boot params:
 #    module.sig_enforce=1
@@ -404,10 +405,7 @@ def add_kconfig_checks(l, arch):
        l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
    if arch in ('ARM', 'X86_32'):
        l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
-    if arch in ('X86_64', 'ARM64'):
-        l += [KconfigCheck('harden_userspace', 'clipos', 'ARCH_MMAP_RND_BITS', '32')]
-    if arch in ('X86_32', 'ARM'):
-        l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')]
+    l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX


 def add_cmdline_checks(l, arch):