self.result = 'FAIL: "' + self.state + '"'
if self.result.startswith('OK'):
- return True, self.result
- return False, self.result
+ return True
+ return False
def table_print(self, with_results):
print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
def check(self):
if kernel_version[0] > self.ver_expected[0]:
self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
- return True, self.result
+ return True
if kernel_version[0] < self.ver_expected[0]:
self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
- return False, self.result
+ return False
if kernel_version[1] >= self.ver_expected[1]:
self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
- return True, self.result
+ return True
self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
- return False, self.result
+ return False
def table_print(self, with_results):
ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
def check(self):
if self.state is None:
self.result = 'FAIL: not present'
- return False, self.result
+ return False
self.result = 'OK: is present'
- return True, self.result
+ return True
def table_print(self, with_results):
print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
def expected(self):
return self.opts[0].expected
- @property
- def state(self):
- return self.opts[0].state
-
@property
def decision(self):
return self.opts[0].decision
sys.exit('[!] ERROR: invalid OR check')
for i, opt in enumerate(self.opts):
- ret, _ = opt.check()
+ ret = opt.check()
if ret:
if i == 0 or not hasattr(opt, 'expected'):
self.result = opt.result
else:
self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected)
- return True, self.result
+ return True
self.result = self.opts[0].result
- return False, self.result
+ return False
class AND(ComplexOptCheck):
def check(self):
for i, opt in reversed(list(enumerate(self.opts))):
- ret, _ = opt.check()
+ ret = opt.check()
if i == 0:
self.result = opt.result
- return ret, self.result
+ return ret
if not ret:
if hasattr(opt, 'expected'):
self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name)
else:
self.result = opt.result
- return False, self.result
+ return False
sys.exit('[!] ERROR: invalid AND check')
checklist.append(OptCheck('UNMAP_KERNEL_AT_EL0', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('HARDEN_EL2_VECTORS', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('RODATA_FULL_DEFAULT_ENABLED', 'y', 'defconfig', 'self_protection'))
+ checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'self_protection'))
if arch in ('X86_64', 'ARM64'):
checklist.append(OptCheck('VMAP_STACK', 'y', 'defconfig', 'self_protection'))
if arch in ('X86_64', 'ARM64', 'X86_32'):
checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface'))
checklist.append(OptCheck('VIDEO_VIVID', 'is not set', 'my', 'cut_attack_surface'))
+ checklist.append(OptCheck('INPUT_EVBUG', 'is not set', 'my', 'cut_attack_surface')) # Can be used as a keylogger
checklist.append(OptCheck('INTEGRITY', 'y', 'defconfig', 'userspace_hardening'))
- if arch == 'ARM64':
- checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_hardening'))
if arch in ('ARM', 'X86_32'):
checklist.append(OptCheck('VMSPLIT_3G', 'y', 'defconfig', 'userspace_hardening'))
if arch in ('X86_64', 'ARM64'):
projects / kconfig-hardened-check.git / blobdiff