parsing CONFIG_LSM option implementation

a13xp0p0v · Nov 23, 2024 · 1815e42 · 1815e42
1 parent 8aa1595
commit 1815e42
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py
@@ -526,7 +526,7 @@ def main() -> None:
         add_kconfig_checks(config_checklist, arch)
         print(f'CONFIG_{arch}=y') # the Kconfig fragment should describe the microarchitecture
         for opt in config_checklist:
-            if opt.name in ('CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS'):
+            if opt.name in ('CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS', 'CONFIG_LSM'):
                 continue # don't add Kconfig options with a value that needs refinement
             if opt.expected == 'is not off':
                 continue # don't add Kconfig options without explicitly recommended values

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
@@ -222,6 +222,9 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
              AND(ubsan_bounds_is_set,
                  VersionCheck((6, 9, 0))))] # UBSAN_SANITIZE_ALL was enabled by default in UBSAN in v6.9
+    l += [KconfigCheck('self_protection', 'kspp', 'LSM', '*landlock*')]
+    l += [KconfigCheck('self_protection', 'kspp', 'LSM', '*lockdown*')]
+    l += [KconfigCheck('self_protection', 'kspp', 'LSM', '*yama*')]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
         l += [AND(stackleak_is_set,

diff --git a/kernel_hardening_checker/engine.py b/kernel_hardening_checker/engine.py
@@ -112,6 +112,14 @@ def check(self) -> None:
         else:
             self.result = f'FAIL: "{self.state}"'
 
+        # handle checks, provided with list()
+        if self.expected.startswith('*') and self.state is not None:
+            print(self.state)
+            if self.expected.strip('*') in list(self.state.strip('\"').split(',')):
+                self.result = 'OK'
+            else:
+                self.result = f'FAIL: "{self.state}"'
+
     def table_print(self, _mode: StrOrNone, with_results: bool) -> None:
         print(f'{self.name:<40}|{self.opt_type:^7}|{self.expected:^12}|{self.decision:^10}|{self.reason:^18}', end='')
         if with_results: