# fs.suid_dumpable=0
# kernel.modules_disabled=1
+
+# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
+# pylint: disable=line-too-long,invalid-name,too-many-branches,too-many-statements
+
+
import sys
from argparse import ArgumentParser
from collections import OrderedDict
import json
from .__about__ import __version__
-# pylint: disable=line-too-long,bad-whitespace,too-many-branches
-# pylint: disable=too-many-statements,global-statement
-
class OptCheck:
def __init__(self, reason, decision, name, expected):
return True
return False
- def table_print(self, mode, with_results):
+ def table_print(self, _mode, with_results):
print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
if with_results:
print('| {}'.format(self.result), end='')
class VerCheck:
def __init__(self, ver_expected):
self.ver_expected = ver_expected
- self.ver = None
+ self.ver = ()
self.result = None
def check(self):
self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
return False
- def table_print(self, mode, with_results):
+ def table_print(self, _mode, with_results):
ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
print('{:<91}'.format(ver_req), end='')
if with_results:
self.result = 'OK: is present'
return True
- def table_print(self, mode, with_results):
+ def table_print(self, _mode, with_results):
print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
if with_results:
print('| {}'.format(self.result), end='')
l += [OptCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN
- l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION','is not set')]
+ l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')]
l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'),
OptCheck('cut_attack_surface', 'my', 'PTDUMP_DEBUGFS', 'is not set'))]
l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')]
l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')]
- # 'cut_attack_surface', 'lockdown'
- l += [OptCheck('cut_attack_surface', 'lockdown', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
- l += [OptCheck('cut_attack_surface', 'lockdown', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
- l += [OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
- l += [OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN
- l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN
+ # 'cut_attack_surface', 'grapheneos'
+ l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
# 'cut_attack_surface', 'clipos'
l += [OptCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [OptCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')]
+ l += [OptCheck('cut_attack_surface', 'clipos', 'IO_URING', 'is not set')]
+ l += [OptCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
l += [AND(OptCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'),
PresenceCheck('LDISC_AUTOLOAD'))]
if arch in ('X86_64', 'X86_32'):
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off
- # 'cut_attack_surface', 'grapheneos'
- l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
+ # 'cut_attack_surface', 'lockdown'
+ l += [OptCheck('cut_attack_surface', 'lockdown', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
+ l += [OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
+ l += [OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN
+ l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN
# 'cut_attack_surface', 'my'
l += [OptCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)