Improve the check of DEBUG_NOTIFIERS feature

This is what DEBUG_NOTIFIERS performs (see kernel/notifier.c): ``` #ifdef CONFIG_DEBUG_NOTIFIERS if (unlikely(!func_ptr_is_kernel_text(nb->notifier_call))) { WARN(1, "Invalid notifier called!"); nb = next_nb; continue; } #endif ``` CFI can do the same better. Thanks to @thestinger for the idea. Refers to #99.

Improve the check of DEBUG_NOTIFIERS feature
This is what DEBUG_NOTIFIERS performs (see kernel/notifier.c): ``` #ifdef CONFIG_DEBUG_NOTIFIERS if (unlikely(!func_ptr_is_kernel_text(nb->notifier_call))) { WARN(1, "Invalid notifier called!"); nb = next_nb; continue; } #endif ``` CFI can do the same better. Thanks to @thestinger for the idea. Refers to #99.
cd5bb8a0 · Alexander Popov · c0fc9e89 · cd5bb8a0
Commit cd5bb8a0 authored Jan 16, 2024 by Alexander Popov
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

checks.py kernel_hardening_checker/checks.py +3 -2

No files found.
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -127,10 +127,12 @@ def add_kconfig_checks(l, arch):
    l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_VIRTUAL', 'y')]
    l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')]
    l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')]
-    l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
    l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
    l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
    l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
+    cfi_clang_is_set = KconfigCheck('self_protection', 'kspp', 'CFI_CLANG', 'y')
+    l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'),
+             cfi_clang_is_set)]
    l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
             vmap_stack_is_set)]
    kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
@@ -196,7 +198,6 @@ def add_kconfig_checks(l, arch):
                  gcc_plugins_support_is_set)]
        l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
    if arch in ('X86_64', 'ARM64'):
-        cfi_clang_is_set = KconfigCheck('self_protection', 'kspp', 'CFI_CLANG', 'y')
        l += [cfi_clang_is_set]
        l += [AND(KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set'),
                  cfi_clang_is_set)]