From 27c5b9ee9e1fc4e60e4633ec66bbc42ff7cc64e6 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Wed, 11 Jan 2017 16:49:59 +0000 Subject: [PATCH] Adjust kernel config tests to support 4.4 - some options are different Signed-off-by: Justin Cormack --- .../check-kernel-config.sh | 23 +++++++++++++++---- alpine/test/test.sh | 2 +- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/alpine/base/check-kernel-config/check-kernel-config.sh b/alpine/base/check-kernel-config/check-kernel-config.sh index d73bd3d24..9619534fd 100755 --- a/alpine/base/check-kernel-config/check-kernel-config.sh +++ b/alpine/base/check-kernel-config/check-kernel-config.sh @@ -7,6 +7,11 @@ echo "starting kernel config sanity test with /proc/config.gz" # decompress /proc/config.gz from the Moby host zcat /proc/config.gz > unzipped_config +kernelVersion="$(uname -r)" +kernelMajor="${kernelVersion%%.*}" +kernelMinor="${kernelVersion#$kernelMajor.}" +kernelMinor="${kernelMinor%%.*}" + # Most tests against https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project # Positive cases cat unzipped_config | grep CONFIG_BUG=y @@ -15,7 +20,6 @@ cat unzipped_config | grep CONFIG_DEBUG_RODATA=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y -cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y cat unzipped_config | grep CONFIG_SYN_COOKIES=y cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y @@ -24,11 +28,20 @@ cat unzipped_config | grep CONFIG_SECCOMP=y cat unzipped_config | grep CONFIG_SECCOMP_FILTER=y cat unzipped_config | grep CONFIG_SECURITY=y cat unzipped_config | grep CONFIG_SECURITY_YAMA=y -cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y -cat unzipped_config | grep CONFIG_SLAB_FREELIST_RANDOM=y cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y -cat unzipped_config | grep CONFIG_UBSAN=y + +# Conditional on kernel version +if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then + cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y + cat unzipped_config | grep CONFIG_UBSAN=y +fi +if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 7 ]; then + cat unzipped_config | grep CONFIG_SLAB_FREELIST_RANDOM=y +fi +if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 8 ]; then + cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y +fi # Negative cases cat unzipped_config | grep 'CONFIG_ACPI_CUSTOM_METHOD is not set' @@ -37,4 +50,4 @@ cat unzipped_config | grep 'CONFIG_DEVKMEM is not set' cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set' cat unzipped_config | grep 'CONFIG_KEXEC is not set' cat unzipped_config | grep 'CONFIG_HIBERNATION is not set' -cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set' \ No newline at end of file +cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set' diff --git a/alpine/test/test.sh b/alpine/test/test.sh index b964eebd8..0fc42669d 100755 --- a/alpine/test/test.sh +++ b/alpine/test/test.sh @@ -11,4 +11,4 @@ docker pull armhf/alpine docker run --rm armhf/alpine uname -a docker swarm init docker run mobylinux/check-config@sha256:4282f589d5a72004c3991c0412e45ba0ab6bb8c0c7d97dc40dabc828700e99ab -docker run mobylinux/check-kernel-config@sha256:beabc0fd77bb9562a03104eecb34286d5aa695896e0d3e56b36876b24d2a9126 +docker run mobylinux/check-kernel-config@sha256:8c48a0f8456e1e5027eb2540974e6304d8cf58263c7553b61838cb627c4e790c