4 This tool is for checking the security hardening options of the Linux kernel.
6 Author: Alexander Popov <alex.popov@linux.com>
8 This module is the engine of checks.
11 # pylint: disable=missing-class-docstring,missing-function-docstring
12 # pylint: disable=line-too-long,invalid-name,too-many-branches
14 GREEN_COLOR = '\x1b[32m'
15 RED_COLOR = '\x1b[31m'
18 def colorize_result(input):
20 if input.startswith('OK'):
22 elif input.startswith('FAIL:'):
25 assert(False), f'unexpected result "{input}"'
26 colored_result = f'{color}{input}{COLOR_END}'
28 print(f'| {colored_result}', end='')
32 def __init__(self, reason, decision, name, expected):
33 assert(name and name == name.strip() and len(name.split()) == 1), \
34 f'invalid name "{name}" for {self.__class__.__name__}'
37 assert(decision and decision == decision.strip() and len(decision.split()) == 1), \
38 f'invalid decision "{decision}" for "{name}" check'
39 self.decision = decision
41 assert(reason and reason == reason.strip() and len(reason.split()) == 1), \
42 f'invalid reason "{reason}" for "{name}" check'
45 assert(expected and expected == expected.strip()), \
46 f'invalid expected value "{expected}" for "{name}" check (1)'
47 val_len = len(expected.split())
49 assert(expected in ('is not set', 'is not off')), \
50 f'invalid expected value "{expected}" for "{name}" check (2)'
52 assert(expected == 'is present'), \
53 f'invalid expected value "{expected}" for "{name}" check (3)'
55 assert(val_len == 1), \
56 f'invalid expected value "{expected}" for "{name}" check (4)'
57 self.expected = expected
63 # handle the 'is present' check
64 if self.expected == 'is present':
65 if self.state is None:
66 self.result = 'FAIL: is not present'
68 self.result = 'OK: is present'
71 # handle the 'is not off' option check
72 if self.expected == 'is not off':
73 if self.state == 'off':
74 self.result = 'FAIL: is off'
75 elif self.state == '0':
76 self.result = 'FAIL: is off, "0"'
77 elif self.state is None:
78 self.result = 'FAIL: is off, not found'
80 self.result = f'OK: is not off, "{self.state}"'
83 # handle the option value check
84 if self.expected == self.state:
86 elif self.state is None:
87 if self.expected == 'is not set':
88 self.result = 'OK: is not found'
90 self.result = 'FAIL: is not found'
92 self.result = f'FAIL: "{self.state}"'
94 def table_print(self, _mode, with_results):
95 print(f'{self.name:<40}|{self.type:^7}|{self.expected:^12}|{self.decision:^10}|{self.reason:^18}', end='')
97 colorize_result(self.result)
99 def json_dump(self, with_results):
100 dump = [self.name, self.type, self.expected, self.decision, self.reason]
102 dump.append(self.result)
106 class KconfigCheck(OptCheck):
107 def __init__(self, *args, **kwargs):
108 super().__init__(*args, **kwargs)
109 self.name = 'CONFIG_' + self.name
116 class CmdlineCheck(OptCheck):
122 class SysctlCheck(OptCheck):
129 def __init__(self, ver_expected):
130 assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 2), \
131 f'invalid version "{ver_expected}" for VersionCheck'
132 self.ver_expected = ver_expected
141 if self.ver[0] > self.ver_expected[0]:
142 self.result = f'OK: version >= {self.ver_expected[0]}.{self.ver_expected[1]}'
144 if self.ver[0] < self.ver_expected[0]:
145 self.result = f'FAIL: version < {self.ver_expected[0]}.{self.ver_expected[1]}'
147 if self.ver[1] >= self.ver_expected[1]:
148 self.result = f'OK: version >= {self.ver_expected[0]}.{self.ver_expected[1]}'
150 self.result = f'FAIL: version < {self.ver_expected[0]}.{self.ver_expected[1]}'
152 def table_print(self, _mode, with_results):
153 ver_req = f'kernel version >= {self.ver_expected[0]}.{self.ver_expected[1]}'
154 print(f'{ver_req:<91}', end='')
156 colorize_result(self.result)
159 class ComplexOptCheck:
160 def __init__(self, *opts):
163 f'empty {self.__class__.__name__} check'
164 assert(len(self.opts) != 1), \
165 f'useless {self.__class__.__name__} check: {opts}'
166 assert(isinstance(opts[0], (KconfigCheck, CmdlineCheck, SysctlCheck))), \
167 f'invalid {self.__class__.__name__} check: {opts}'
176 return self.opts[0].name
180 return self.opts[0].expected
182 def table_print(self, mode, with_results):
183 if mode == 'verbose':
184 print(f' {"<<< " + self.__class__.__name__ + " >>>":87}', end='')
186 colorize_result(self.result)
190 o.table_print(mode, with_results)
193 o.table_print(mode, False)
195 colorize_result(self.result)
200 def json_dump(self, with_results):
201 dump = self.opts[0].json_dump(False)
203 dump.append(self.result)
207 class OR(ComplexOptCheck):
208 # self.opts[0] is the option that this OR-check is about.
210 # OR(<X_is_hardened>, <X_is_disabled>)
211 # OR(<X_is_hardened>, <old_X_is_hardened>)
213 for i, opt in enumerate(self.opts):
215 if opt.result.startswith('OK'):
216 self.result = opt.result
217 # Add more info for additional checks:
219 if opt.result == 'OK':
220 self.result = f'OK: {opt.name} is "{opt.expected}"'
221 elif opt.result == 'OK: is not found':
222 self.result = f'OK: {opt.name} is not found'
223 elif opt.result == 'OK: is present':
224 self.result = f'OK: {opt.name} is present'
225 elif opt.result.startswith('OK: is not off'):
226 self.result = f'OK: {opt.name} is not off'
228 # VersionCheck provides enough info
229 assert(opt.result.startswith('OK: version')), \
230 f'unexpected OK description "{opt.result}"'
232 self.result = self.opts[0].result
235 class AND(ComplexOptCheck):
236 # self.opts[0] is the option that this AND-check is about.
238 # AND(<suboption>, <main_option>)
239 # Suboption is not checked if checking of the main_option is failed.
240 # AND(<X_is_disabled>, <old_X_is_disabled>)
242 for i, opt in reversed(list(enumerate(self.opts))):
245 self.result = opt.result
247 if not opt.result.startswith('OK'):
248 # This FAIL is caused by additional checks,
249 # and not by the main option that this AND-check is about.
250 # Describe the reason of the FAIL.
251 if opt.result.startswith('FAIL: \"') or opt.result == 'FAIL: is not found':
252 self.result = f'FAIL: {opt.name} is not "{opt.expected}"'
253 elif opt.result == 'FAIL: is not present':
254 self.result = f'FAIL: {opt.name} is not present'
255 elif opt.result in ('FAIL: is off', 'FAIL: is off, "0"'):
256 self.result = f'FAIL: {opt.name} is off'
257 elif opt.result == 'FAIL: is off, not found':
258 self.result = f'FAIL: {opt.name} is off, not found'
260 # VersionCheck provides enough info
261 self.result = opt.result
262 assert(opt.result.startswith('FAIL: version')), \
263 f'unexpected FAIL description "{opt.result}"'
267 SIMPLE_OPTION_TYPES = ('kconfig', 'cmdline', 'sysctl', 'version')
270 def populate_simple_opt_with_data(opt, data, data_type):
271 assert(opt.type != 'complex'), \
272 f'unexpected ComplexOptCheck "{opt.name}"'
273 assert(opt.type in SIMPLE_OPTION_TYPES), \
274 f'invalid opt type "{opt.type}"'
275 assert(data_type in SIMPLE_OPTION_TYPES), \
276 f'invalid data type "{data_type}"'
280 if data_type != opt.type:
283 if data_type in ('kconfig', 'cmdline', 'sysctl'):
284 opt.state = data.get(opt.name, None)
286 assert(data_type == 'version'), \
287 f'unexpected data type "{data_type}"'
291 def populate_opt_with_data(opt, data, data_type):
292 assert(opt.type != 'version'), 'a single VersionCheck is useless'
293 if opt.type != 'complex':
294 populate_simple_opt_with_data(opt, data, data_type)
297 if o.type != 'complex':
298 populate_simple_opt_with_data(o, data, data_type)
300 # Recursion for nested ComplexOptCheck objects
301 populate_opt_with_data(o, data, data_type)
304 def populate_with_data(checklist, data, data_type):
305 for opt in checklist:
306 populate_opt_with_data(opt, data, data_type)
309 def override_expected_value(checklist, name, new_val):
310 for opt in checklist:
312 assert(opt.type in ('kconfig', 'cmdline', 'sysctl')), \
313 f'overriding an expected value for "{opt.type}" checks is not supported yet'
314 opt.expected = new_val
317 def perform_checks(checklist):
318 for opt in checklist:
projects / kconfig-hardened-check.git / blob