efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
- gcc_plugins_support_is_set = KconfigCheck('-', '-', 'GCC_PLUGINS', 'y')
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
VersionCheck((6, 6, 8)))] # DEBUG_CREDENTIALS was dropped in v6.6.8
l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'),
AND(cfi_clang_is_set,
- cfi_clang_permissive_not_set))]
+ cfi_clang_permissive_not_set,
+ cc_is_clang))]
l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'),
vmap_stack_is_set)]
kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
modules_not_set)]
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [AND(stackleak_is_set,
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_METRICS', 'is not set'),
stackleak_is_set,
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
stackleak_is_set,
- gcc_plugins_support_is_set,
cc_is_gcc)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'ARM64'):
- l += [cfi_clang_is_set]
+ l += [AND(cfi_clang_is_set,
+ cc_is_clang)]
l += [AND(cfi_clang_permissive_not_set,
- cfi_clang_is_set)]
+ cfi_clang_is_set,
+ cc_is_clang)]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'KGDB', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'CORESIGHT', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'XFS_SUPPORT_V4', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MODULE_FORCE_LOAD', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)]
- l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MODULE_FORCE_LOAD', 'is not set')]
+
# 'harden_userspace'
if arch == 'ARM64':
l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')]
l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
+ if arch == 'X86_64':
+ l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')]
def add_cmdline_checks(l, arch):
# 'cut_attack_surface', 'a13xp0p0v'
l += [CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'sysrq_always_enabled', 'is not set')]
+ l += [OR(CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'bdev_allow_write_mounted', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set'),
+ CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'bdev_allow_write_mounted', 'is not set')))]
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'ia32_emulation', '0'),
KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set'),
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]
- l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]