vmap_stack_is_set)]
kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')
l += [kfence_is_set]
- l += [AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', 'is not off'),
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'),
kfence_is_set)]
randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'),
KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y'))
l += [randstruct_is_set]
- l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
- KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
- randstruct_is_set)]
+# l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
+# KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
+# randstruct_is_set)] # Comment this out for now: KSPP has revoked this recommendation
hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
l += [hardened_usercopy_is_set]
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)]
-
+ l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_SERIAL', 'is not set'),
+ KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_DEFAULT_ENABLE', '0x0'))]
# 'harden_userspace'
if arch == 'ARM64':
l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')]
+ l += [CmdlineCheck('self_protection', 'kspp', 'cfi', 'kcfi')]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
- AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
+ AND(KconfigCheck('self_protection', 'kspp', 'SLAB_MERGE_DEFAULT', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
# 'self_protection', 'a13xp0p0v'
l += [OR(CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not off'),
- AND(KconfigCheck('self_protection', 'a13xp0p0v', 'KFENCE_SAMPLE_INTERVAL', 'is not off'),
+ AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'),
CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not set')))]
# 'cut_attack_surface', 'defconfig'
# vm.mmap_min_addr has a good value
# nosmt sysfs control file
# vm.mmap_rnd_bits=max (?)
-# kernel.sysrq=0
# abi.vsyscall32 (any value except 2)
-# kernel.oops_limit (think about a proper value)
-# kernel.warn_limit (think about a proper value)
# net.ipv4.tcp_syncookies=1 (?)
def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None:
l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'),
AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'),
have_kconfig))]
+ # Choosing a right value for 'kernel.oops_limit' and 'kernel.warn_limit' is not easy.
+ # A small value (e.g. 1, which is recommended by KSPP) allows easy DoS.
+ # A large value (e.g. 10000, which is default 'kernel.oops_limit') may miss the exploit attempt.
+ # Let's choose 100 as a reasonable compromise.
+ l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.oops_limit', '100')]
+ l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.warn_limit', '100')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
# At first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only.
- l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'),
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.modules_disabled', '1'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'),
have_kconfig))] # radical, but may be useful in some cases
+ l += [OR(SysctlCheck('cut_attack_surface', 'a13xp0p0v', 'kernel.sysrq', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'),
+ have_kconfig))]
+
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]