# pylint: disable=line-too-long,bad-whitespace,too-many-branches
# pylint: disable=too-many-statements,global-statement
-# Report modes:
-# * verbose mode for
-# - reporting about unknown kernel options in the config
-# - verbose printing of ComplexOptCheck items
-# * json mode for printing the results in JSON format
-report_modes = ['verbose', 'json']
-
-supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM']
-
-kernel_version = None
-
class OptCheck:
def __init__(self, reason, decision, name, expected):
class VerCheck:
def __init__(self, ver_expected):
self.ver_expected = ver_expected
+ self.ver = None
self.result = None
def check(self):
- if kernel_version[0] > self.ver_expected[0]:
+ if self.ver[0] > self.ver_expected[0]:
self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
return True
- if kernel_version[0] < self.ver_expected[0]:
+ if self.ver[0] < self.ver_expected[0]:
self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
return False
- if kernel_version[1] >= self.ver_expected[1]:
+ if self.ver[1] >= self.ver_expected[1]:
self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
return True
self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
sys.exit('[!] ERROR: invalid AND check')
-def detect_arch(fname):
+def detect_arch(fname, archs):
with open(fname, 'r') as f:
arch_pattern = re.compile("CONFIG_[a-zA-Z0-9_]*=y")
arch = None
for line in f.readlines():
if arch_pattern.match(line):
option, _ = line[7:].split('=', 1)
- if option in supported_archs:
+ if option in archs:
if not arch:
arch = option
else:
print('[+] Config check is finished: \'OK\' - {} / \'FAIL\' - {}'.format(ok_count, error_count))
-def perform_checks(checklist, parsed_options):
+def perform_checks(checklist, parsed_options, kernel_version):
for opt in checklist:
if hasattr(opt, 'opts'):
# prepare ComplexOptCheck
for o in opt.opts:
if hasattr(o, 'state'):
o.state = parsed_options.get(o.name, None)
+ if hasattr(o, 'ver'):
+ o.ver = kernel_version
else:
# prepare simple check
if not hasattr(opt, 'state'):
def main():
- global kernel_version
-
- mode = None
- config_checklist = []
- parsed_options = OrderedDict()
-
+ # Report modes:
+ # * verbose mode for
+ # - reporting about unknown kernel options in the config
+ # - verbose printing of ComplexOptCheck items
+ # * json mode for printing the results in JSON format
+ report_modes = ['verbose', 'json']
+ supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM']
parser = ArgumentParser(prog='kconfig-hardened-check',
description='Checks the hardening options in the Linux kernel config')
parser.add_argument('--version', action='version', version='%(prog)s ' + __version__)
help='choose the report mode')
args = parser.parse_args()
+ mode = None
if args.mode:
mode = args.mode
if mode != 'json':
print("[+] Special report mode: {}".format(mode))
+ config_checklist = []
+
if args.config:
if mode != 'json':
print('[+] Config file to check: {}'.format(args.config))
- arch, msg = detect_arch(args.config)
+ arch, msg = detect_arch(args.config, supported_archs)
if not arch:
sys.exit('[!] ERROR: {}'.format(msg))
if mode != 'json':
print('[+] Detected kernel version: {}.{}'.format(kernel_version[0], kernel_version[1]))
construct_checklist(config_checklist, arch)
+ parsed_options = OrderedDict()
parse_config_file(parsed_options, args.config)
- perform_checks(config_checklist, parsed_options)
+ perform_checks(config_checklist, parsed_options, kernel_version)
if mode == 'verbose':
print_unknown_options(config_checklist, parsed_options)