efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
+ if arch in ('X86_64', 'X86_32'):
+ cpu_sup_amd_not_set = KconfigCheck('-', '-', 'CPU_SUP_AMD', 'is not set')
+ cpu_sup_intel_not_set = KconfigCheck('-', '-', 'CPU_SUP_INTEL', 'is not set')
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
if arch in ('X86_64', 'ARM64', 'ARM'):
l += [vmap_stack_is_set]
if arch in ('X86_64', 'X86_32'):
- cpu_sup_amd_not_set=KconfigCheck('-', '-', 'CPU_SUP_AMD', 'is not set')
- cpu_sup_intel_not_set=KconfigCheck('-', '-', 'CPU_SUP_INTEL', 'is not set')
l += [KconfigCheck('self_protection', 'defconfig', 'SPECULATION_MITIGATIONS', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')]
- l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y'),
- cpu_sup_intel_not_set)]
- l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y'),
- cpu_sup_amd_not_set)]
l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')
VersionCheck((5, 19, 0)))] # X86_SMAP is enabled by default since v5.19
l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
+ l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y'),
+ cpu_sup_intel_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y'),
+ cpu_sup_amd_not_set)]
if arch in ('ARM64', 'ARM'):
l += [KconfigCheck('self_protection', 'defconfig', 'HW_RANDOM_TPM', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
if arch == 'ARM64':
l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'UNWIND_PATCH_PAC_INTO_SCS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic
if arch == 'X86_32':
l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN
if arch in ('X86_64', 'X86_32'):
- l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'), # tsx=off
- cpu_sup_intel_not_set)]
+ l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
+ cpu_sup_intel_not_set)] # tsx=off
# 'cut_attack_surface', 'kspp'
l += [KconfigCheck('cut_attack_surface', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'),
AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
tsx_not_set),
- AND(KconfigCheck('cut_attack_surface', 'defconfig', 'CPU_SUP_INTEL', 'is not set'),
+ AND(KconfigCheck('-', '-', 'CPU_SUP_INTEL', 'is not set'),
tsx_not_set))]
# 'cut_attack_surface', 'kspp'
# Calling the SysctlCheck class constructor:
# SysctlCheck(reason, decision, name, expected)
- l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+ # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking
+ have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present')
+
+ l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'),
+ AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'),
+ have_kconfig))]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
- l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
- l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
- l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'),
+ AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'),
+ have_kconfig))]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'),
+ AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'),
+ have_kconfig))]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'),
+ have_kconfig))]
# At first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only.
- l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases
+ l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'),
+ have_kconfig))] # radical, but may be useful in some cases
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]