search

clearlinux / kernel-config-checker

Check kernel config files against a set of mandatory-for-security settings
https://pypi.org/project/kcc/
GNU General Public License v3.0
17 stars 7 forks source link

Detect if missing must_be_set keys in kconfig file #1

Open luisfponce opened 6 years ago

luisfponce commented 6 years ago

Display if any of the keys in MUST_BE_SET Dict is not contained in the kernel config file.

fenrus75 commented 6 years ago

the current behavior is different; it means that you can run the check on kernels that do not have the option at all.

your new behavior would ban this basically; I am not 100% convinced yet that this si a good idea

fenrus75 commented 6 years ago

(the commit message describes the what, not the why, so I'm guessing at intent, might be better to just say here explicitly why you want this)

luisfponce commented 6 years ago

My apologizes for the lack of information. The use case here is to get all those keys that are in defaults.py but are not in kernel config file. But why? Well, I believe this could be useful for QA for example. By the way the CC_STACKPROTECTOR changed to STACKPROTECTOR commit was found because this was executed and then, turned out that CONFIG_STACKPROTECTOR wasn't in the config file.

fenrus75 commented 6 years ago

thinking more about this we really have 2 separate cases, and we likely should split this one list into two lists:

Case 1) If this variable exists, it must be =y Case 2) The variable both must exist and must be =y

current code is case 1, your patch turns it into case 2, but I think we can legitimately argue that both cases are valid.... so how about adding case 2 while leaving case 1 in place?

miguelinux commented 6 years ago

The both cases are supported in the new feature:

Current behavior without arguments:

$ kcc config
$

New behavior with --missing argument

$ kcc --missing config

Is not in config file and must be set:
CONFIG_CC_STACKPROTECTOR
CONFIG_STRICT_DEVMEM
CONFIG_IO_STRICT_DEVMEM
CONFIG_SLAB_FREELIST_HARDENED
CONFIG_DEBUG_SET_MODULE_RONX
$

This list shows which config must be set and are not found.

Maybe we should change the --missing argument.

fenrus75 commented 6 years ago

the point is that we need the different behaviors for different options. some options are type 1, some are type 2. a command line option does not give us that.

On Wed, Oct 10, 2018 at 5:13 AM Miguel Bernal Marin < notifications@github.com> wrote:

The both cases are supported in the new feature:

Current behavior without arguments:

$ kcc config $

New behavior with --missing argument

$ kcc --missing config

Is not in config file and must be set: CONFIG_CC_STACKPROTECTOR CONFIG_STRICT_DEVMEM CONFIG_IO_STRICT_DEVMEM CONFIG_SLAB_FREELIST_HARDENED CONFIG_DEBUG_SET_MODULE_RONX $

This list shows which config must be set and are not found.

Maybe we should change the --missing argument.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/clearlinux/kernel-config-checker/pull/1#issuecomment-428354350, or mute the thread https://github.com/notifications/unsubscribe-auth/ABPeFcLiG0y6KoPzcveQrfqv9sM-4iUrks5ujRFdgaJpZM4XEZJO .