parsing CONFIG_LSM option implementation

a13xp0p0v · Nov 22, 2024 · 1968569 · 1968569
1 parent 8aa1595
commit 1968569
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
@@ -222,6 +222,9 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
              AND(ubsan_bounds_is_set,
                  VersionCheck((6, 9, 0))))] # UBSAN_SANITIZE_ALL was enabled by default in UBSAN in v6.9
+    l += [KconfigCheck('self_protection', 'kspp', 'LSM', 'landlock')]
+    l += [KconfigCheck('self_protection', 'kspp', 'LSM', 'lockdown')]
+    l += [KconfigCheck('self_protection', 'kspp', 'LSM', 'yama')]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
         l += [AND(stackleak_is_set,

diff --git a/kernel_hardening_checker/engine.py b/kernel_hardening_checker/engine.py
@@ -110,7 +110,10 @@ def check(self) -> None:
             else:
                 self.result = 'FAIL: is not found'
         else:
-            self.result = f'FAIL: "{self.state}"'
+            if self.expected in list(self.state.strip('\"').split(',')):
+                self.result = 'OK'
+            else:
+                self.result = f'FAIL: "{self.state}"'
 
     def table_print(self, _mode: StrOrNone, with_results: bool) -> None:
         print(f'{self.name:<40}|{self.opt_type:^7}|{self.expected:^12}|{self.decision:^10}|{self.reason:^18}', end='')