From 66c92081fcaa49420fa43eecf975f82f079075c4 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 13 Feb 2017 14:27:41 +0000 Subject: [PATCH] Update kernel config check for suggested values This should be done with #1175 Config not updated as may still need changes Signed-off-by: Justin Cormack --- tools/check-kernel-config/check-kernel-config.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/check-kernel-config/check-kernel-config.sh b/tools/check-kernel-config/check-kernel-config.sh index f82f7075d..ca033fbd2 100755 --- a/tools/check-kernel-config/check-kernel-config.sh +++ b/tools/check-kernel-config/check-kernel-config.sh @@ -20,6 +20,7 @@ cat unzipped_config | grep CONFIG_DEBUG_RODATA=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y +cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y cat unzipped_config | grep CONFIG_SYN_COOKIES=y cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y @@ -30,6 +31,15 @@ cat unzipped_config | grep CONFIG_SECURITY=y cat unzipped_config | grep CONFIG_SECURITY_YAMA=y cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y +cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y +cat unzipped_config | grep CONFIG_SYN_COOKIES=y +cat unzipped_config | grep CONFIG_PAGE_POISONING=y +cat unzipped_config | grep CONFIG_PAGE_POISONING_NO_SANITY=y +cat unzipped_config | grep CONFIG_PAGE_POISONING_ZERO=y +cat unzipped_config | grep CONFIG_LEGACY_VSYSCALL_NONE=y +cat unzipped_config | grep CONFIG_BUG_ON_DATA_CORRUPTION=y +cat unzipped_config | grep CONFIG_RANDOMIZE_BASE=y +cat unzipped_config | grep CONFIG_RANDOMIZE_MEMORY=y # Conditional on kernel version if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then @@ -51,3 +61,7 @@ cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set' cat unzipped_config | grep 'CONFIG_KEXEC is not set' cat unzipped_config | grep 'CONFIG_HIBERNATION is not set' cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set' +cat unzipped_config | grep 'CONFIG_X86_X32 is not set' +cat unzipped_config | grep 'CONFIG_MODIFY_LDT_SYSCALL is not set' +cat unzipped_config | grep 'CONFIG_KEXEC is not set' +cat unzipped_config | grep 'CONFIG_HIBERNATION is not set'