# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
# net.core.bpf_jit_harden=2
# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
# net.core.bpf_jit_harden=2
# vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
# vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
# dev.tty.ldisc_autoload=0
# fs.protected_symlinks=1
# fs.protected_hardlinks=1
# dev.tty.ldisc_autoload=0
# fs.protected_symlinks=1
# fs.protected_hardlinks=1
+ def json_dump(self, with_results):
+ dump = [self.name, self.type, self.expected, self.decision, self.reason]
+ if with_results:
+ dump.append(self.result)
+ return dump
+
class KconfigCheck(OptCheck):
def __init__(self, *args, **kwargs):
class KconfigCheck(OptCheck):
def __init__(self, *args, **kwargs):
- def json_dump(self, with_results):
- dump = [self.name, self.type, self.expected, self.decision, self.reason]
- if with_results:
- dump.append(self.result)
- return dump
+
+class CmdlineCheck(OptCheck):
+ @property
+ def type(self):
+ return 'cmdline'
sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__))
if len(self.opts) == 1:
sys.exit('[!] ERROR: useless {} check'.format(self.__class__.__name__))
sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__))
if len(self.opts) == 1:
sys.exit('[!] ERROR: useless {} check'.format(self.__class__.__name__))
VersionCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
l += [KconfigCheck('self_protection', 'defconfig', 'MITIGATE_SPECTRE_BRANCH_HISTORY', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')]
VersionCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
l += [KconfigCheck('self_protection', 'defconfig', 'MITIGATE_SPECTRE_BRANCH_HISTORY', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')]
if arch == 'ARM':
l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
if arch == 'ARM':
l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
# 'cut_attack_surface', 'grapheneos'
l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
# 'cut_attack_surface', 'grapheneos'
l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
# l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging!
# l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging!
+def add_cmdline_checks(l, arch):
+ # Calling the CmdlineCheck class constructor:
+ # CmdlineCheck(reason, decision, name, expected)
+
+ l += [CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'on')]
+ # TODO: add other
+
+
sys.exit('[!] ERROR: wrong mode "{}" for --print'.format(mode))
arch = args.print
add_kconfig_checks(config_checklist, arch)
sys.exit('[!] ERROR: wrong mode "{}" for --print'.format(mode))
arch = args.print
add_kconfig_checks(config_checklist, arch)
if mode != 'json':
print('[+] Printing kernel security hardening preferences for {}...'.format(arch))
print_checklist(mode, config_checklist, False)
if mode != 'json':
print('[+] Printing kernel security hardening preferences for {}...'.format(arch))
print_checklist(mode, config_checklist, False)