projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Support separate sysctl checking (without kconfig)
[kconfig-hardened-check.git] / kconfig_hardened_check / checks.py
diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index d857ad132c5658f04641564208920c0feea2a95e..4957ad5c4e1a2202267b269d8f400b9bebd3a741 100644 (file)
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -11,10 +11,12 @@ This module contains knowledge for checks.
 # pylint: disable=missing-function-docstring,line-too-long,invalid-name
 # pylint: disable=too-many-branches,too-many-statements
 
-from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND
+from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
 
 
 def add_kconfig_checks(l, arch):
+    assert(arch), 'empty arch'
+
     # Calling the KconfigCheck class constructor:
     #     KconfigCheck(reason, decision, name, expected)
     #
@@ -379,6 +381,8 @@ def add_kconfig_checks(l, arch):
 
 
 def add_cmdline_checks(l, arch):
+    assert(arch), 'empty arch'
+
     # Calling the CmdlineCheck class constructor:
     #     CmdlineCheck(reason, decision, name, expected)
     #
@@ -574,22 +578,14 @@ def normalize_cmdline_options(option, value):
     return value
 
 
-# def add_sysctl_checks(l, arch):
 # TODO: draft of security hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
-#    kernel.dmesg_restrict=1 (also see the kconfig option)
-#    kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
-#    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
-#    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
-#    kernel.unprivileged_bpf_disabled=1
-#    net.core.bpf_jit_harden=2
 #    vm.unprivileged_userfaultfd=0
 #        (at first, it disabled unprivileged userfaultfd,
 #         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
 #    vm.mmap_min_addr has a good value
-#    dev.tty.ldisc_autoload=0
 #    fs.protected_symlinks=1
 #    fs.protected_hardlinks=1
 #    fs.protected_fifos=2
@@ -605,3 +601,18 @@ def normalize_cmdline_options(option, value):
 #    kernel.oops_limit (think about a proper value)
 #    kernel.warn_limit (think about a proper value)
 #    net.ipv4.tcp_syncookies=1 (?)
+
+def add_sysctl_checks(l, arch):
+# This function may be called with arch=None
+
+# Calling the SysctlCheck class constructor:
+#   SysctlCheck(reason, decision, name, expected)
+
+    l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
kconfig-hardened-check