l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
- l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface
# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
if arch in ('ARM', 'X86_32'):
l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
+ l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')]
l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
# TODO: draft of security hardening sysctls:
# what about bpf_jit_enable?
# vm.mmap_min_addr has a good value
-# fs.protected_symlinks=1
-# fs.protected_hardlinks=1
-# fs.protected_fifos=2
-# fs.protected_regular=2
-# fs.suid_dumpable=0
# kernel.modules_disabled=1
-# kernel.randomize_va_space=2
# nosmt sysfs control file
-# dev.tty.legacy_tiocsti=0
# vm.mmap_rnd_bits=max (?)
# kernel.sysrq=0
# abi.vsyscall32 (any value except 2)
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
# At first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]