#!/usr/bin/python3
-# N.B. Hardening sysctls:
-# kernel.kptr_restrict=2 (or 1?)
-# kernel.dmesg_restrict=1 (also see the kconfig option)
-# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
-# kernel.kexec_load_disabled=1
-# kernel.yama.ptrace_scope=3
-# user.max_user_namespaces=0
-# what about bpf_jit_enable?
-# kernel.unprivileged_bpf_disabled=1
-# net.core.bpf_jit_harden=2
-# vm.unprivileged_userfaultfd=0
-# (at first, it disabled unprivileged userfaultfd,
-# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
-# vm.mmap_min_addr has a good value
-# dev.tty.ldisc_autoload=0
-# fs.protected_symlinks=1
-# fs.protected_hardlinks=1
-# fs.protected_fifos=2
-# fs.protected_regular=2
-# fs.suid_dumpable=0
-# kernel.modules_disabled=1
-# kernel.randomize_va_space = 2
-# nosmt sysfs control file
-#
-# Think of these boot params:
-# module.sig_enforce=1
-# lockdown=confidentiality
-# mce=0
-# nosmt=force
-# intel_iommu=on
-# amd_iommu=on
-# efi=disable_early_pci_dma
-
-# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
-# pylint: disable=line-too-long,invalid-name,too-many-branches,too-many-statements
+"""
+This tool is for checking the security hardening options of the Linux kernel.
+
+Author: Alexander Popov <alex.popov@linux.com>
+
+This module contains knowledge for checks.
+"""
+
+# pylint: disable=missing-function-docstring,line-too-long,invalid-name
+# pylint: disable=too-many-branches,too-many-statements
from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
iommu_support_is_set)]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')]
# 'self_protection', 'kspp'
l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
l += [hardened_usercopy_is_set]
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
- hardened_usercopy_is_set)]
+ hardened_usercopy_is_set)] # usercopy whitelist violations should be prohibited
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
- hardened_usercopy_is_set)]
+ hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
gcc_plugins_support_is_set)]
l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
# 'security_policy'
if arch in ('X86_64', 'ARM64', 'X86_32'):
- l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')] # and choose your favourite LSM
+ l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')]
if arch == 'ARM':
- l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM
+ l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LANDLOCK', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE
+ l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_SELINUX', 'y'),
+ KconfigCheck('security_policy', 'my', 'SECURITY_APPARMOR', 'y'),
+ KconfigCheck('security_policy', 'my', 'SECURITY_SMACK', 'y'),
+ KconfigCheck('security_policy', 'my', 'SECURITY_TOMOYO', 'y'))] # one of major LSMs implementing MAC
# 'cut_attack_surface', 'defconfig'
l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN
- l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN
devmem_not_set)] # refers to LOCKDOWN
l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'),
KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))]
- if arch == 'X86_64':
- l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none'
+ if arch in ('X86_64', 'X86_32'):
+ l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
+ # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32;
+ # on ARM64 this option has different meaning
if arch == 'ARM':
l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')]
- l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0
l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface
# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
+ if arch == 'X86_64':
+ l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
+ KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))]
+ # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely,
+ # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
l += [bpf_syscall_not_set] # refers to LOCKDOWN
# 'cut_attack_surface', 'my'
+ l += [KconfigCheck('cut_attack_surface', 'my', 'LEGACY_TIOCSTI', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)]
# 'harden_userspace'
- if arch in ('X86_64', 'ARM64', 'X86_32'):
- l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')]
- if arch == 'ARM':
- l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')]
if arch == 'ARM64':
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
if arch in ('ARM', 'X86_32'):
l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
- if arch in ('X86_64', 'ARM64'):
- l += [KconfigCheck('harden_userspace', 'clipos', 'ARCH_MMAP_RND_BITS', '32')]
- if arch in ('X86_32', 'ARM'):
- l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')]
+ l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
def add_cmdline_checks(l, arch):
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nomte', 'is not set')]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
- l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not off'),
- CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set')))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),
- CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'is not set'))]
+ AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+ CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'),
AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))]
else:
- l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '1'),
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'on'),
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
# 'self_protection', 'kspp'
l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')]
l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] # 'nosmt' by kspp + 'auto' by defconfig
+ l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
+ l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
+ AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]
AND(CmdlineCheck('self_protection', 'kspp', 'page_poison', '1'),
KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'),
CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))]
- l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
- AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
- CmdlineCheck('self_protection', 'clipos', 'slub_merge', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]
# 'cut_attack_surface', 'kspp'
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
+ KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
+ l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2
+ if arch == 'X86_32':
+ l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2
# 'cut_attack_surface', 'grsec'
# The cmdline checks compatible with the kconfig options disabled by grsecurity...
# 'cut_attack_surface', 'my'
l += [CmdlineCheck('cut_attack_surface', 'my', 'sysrq_always_enabled', 'is not set')]
+ # 'harden_userspace'
+ l += [CmdlineCheck('harden_userspace', 'defconfig', 'norandmaps', 'is not set')]
+
+
+no_kstrtobool_options = [
+ 'debugfs', # See debugfs_kernel() in fs/debugfs/inode.c
+ 'mitigations', # See mitigations_parse_cmdline() in kernel/cpu.c
+ 'pti', # See pti_check_boottime_disable() in arch/x86/mm/pti.c
+ 'spectre_v2', # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'spectre_v2_user', # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'spec_store_bypass_disable', # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'l1tf', # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'mds', # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'tsx_async_abort', # See tsx_async_abort_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'rodata', # See set_debug_rodata() in init/main.c
+ 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
+ 'slub_debug', # See setup_slub_debug() in mm/slub.c
+ 'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c
+ 'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c
+ 'vdso32', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
+ 'vdso', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
+ 'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
+]
+
def normalize_cmdline_options(option, value):
# Don't normalize the cmdline option values if
# the Linux kernel doesn't use kstrtobool() for them
- if option == 'debugfs':
- # See debugfs_kernel() in fs/debugfs/inode.c
- return value
- if option == 'mitigations':
- # See mitigations_parse_cmdline() in kernel/cpu.c
- return value
- if option == 'pti':
- # See pti_check_boottime_disable() in arch/x86/mm/pti.c
- return value
- if option == 'spectre_v2':
- # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'spectre_v2_user':
- # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'spec_store_bypass_disable':
- # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'l1tf':
- # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'mds':
- # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'tsx_async_abort':
- # See tsx_async_abort_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'srbds':
- # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'mmio_stale_data':
- # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'retbleed':
- # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'tsx':
- # See tsx_init() in arch/x86/kernel/cpu/tsx.c
+ if option in no_kstrtobool_options:
return value
# Implement a limited part of the kstrtobool() logic
- if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):
+ if value.lower() in ('1', 'on', 'y', 'yes', 't', 'true'):
return '1'
- if value in ('0', 'off', 'Off', 'OFF', 'n', 'N', 'no', 'No', 'NO'):
+ if value.lower() in ('0', 'off', 'n', 'no', 'f', 'false'):
return '0'
# Preserve unique values
return value
+
+
+# def add_sysctl_checks(l, arch):
+# TODO: draft of security hardening sysctls:
+# kernel.kptr_restrict=2 (or 1?)
+# kernel.dmesg_restrict=1 (also see the kconfig option)
+# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
+# kernel.kexec_load_disabled=1
+# kernel.yama.ptrace_scope=3
+# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
+# what about bpf_jit_enable?
+# kernel.unprivileged_bpf_disabled=1
+# net.core.bpf_jit_harden=2
+# vm.unprivileged_userfaultfd=0
+# (at first, it disabled unprivileged userfaultfd,
+# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
+# vm.mmap_min_addr has a good value
+# dev.tty.ldisc_autoload=0
+# fs.protected_symlinks=1
+# fs.protected_hardlinks=1
+# fs.protected_fifos=2
+# fs.protected_regular=2
+# fs.suid_dumpable=0
+# kernel.modules_disabled=1
+# kernel.randomize_va_space=2
+# nosmt sysfs control file
+# dev.tty.legacy_tiocsti=0
+# vm.mmap_rnd_bits=max (?)
+# kernel.sysrq=0
+# abi.vsyscall32 (any value except 2)
+# kernel.oops_limit (think about a proper value)
+# kernel.warn_limit (think about a proper value)
+# net.ipv4.tcp_syncookies=1 (?)