SECURITY_DMESG_RESTRICT is recommended by KSPP now

d1a8bb6a · Alexander Popov · a486a640 · d1a8bb6a
Commit d1a8bb6a authored Jun 19, 2021 by Alexander Popov
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

__init__.py kconfig_hardened_check/__init__.py +2 -2

No files found.
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -36,7 +36,7 @@
 #
 # N.B. Hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
-#    kernel.dmesg_restrict=1
+#    kernel.dmesg_restrict=1 (also see the kconfig option)
 #    kernel.perf_event_paranoid=3
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
@@ -328,6 +328,7 @@ def construct_checklist(l, arch):
        l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]

    # 'self_protection', 'kspp'
+    l += [OptCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
    l += [OptCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
    l += [OptCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
    l += [OptCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
@@ -375,7 +376,6 @@ def construct_checklist(l, arch):
        l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]

    # 'self_protection', 'clipos'
-    l += [OptCheck('self_protection', 'clipos', 'SECURITY_DMESG_RESTRICT', 'y')]
    l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')]
    l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
    l += [OptCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')]