# pylint: disable=missing-function-docstring,line-too-long,invalid-name
# pylint: disable=too-many-branches,too-many-statements
-from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND
+from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
def add_kconfig_checks(l, arch):
l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)]
return value
-# def add_sysctl_checks(l, arch):
+def add_sysctl_checks(l, arch):
# TODO: draft of security hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
-# kernel.dmesg_restrict=1 (also see the kconfig option)
-# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
-# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
-# net.core.bpf_jit_harden=2
# vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
# kernel.oops_limit (think about a proper value)
# kernel.warn_limit (think about a proper value)
# net.ipv4.tcp_syncookies=1 (?)
+#
+# Calling the SysctlCheck class constructor:
+# SysctlCheck(reason, decision, name, expected)
+
+ l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]