from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
-def add_kconfig_checks(l, arch):
+def add_kconfig_checks(l, arch: str):
assert(arch), 'empty arch'
# Calling the KconfigCheck class constructor:
l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')]
-def add_cmdline_checks(l, arch):
+def add_cmdline_checks(l, arch: str):
assert(arch), 'empty arch'
# Calling the CmdlineCheck class constructor:
]
-def normalize_cmdline_options(option, value):
+def normalize_cmdline_options(option: str, value: str) -> str:
# Don't normalize the cmdline option values if
# the Linux kernel doesn't use kstrtobool() for them
if option in no_kstrtobool_options:
# kernel.warn_limit (think about a proper value)
# net.ipv4.tcp_syncookies=1 (?)
-def add_sysctl_checks(l, _arch):
+def add_sysctl_checks(l, _arch: str):
# This function may be called with arch=None
# Calling the SysctlCheck class constructor:
# SysctlCheck(reason, decision, name, expected)
- # use an omnipresent config symbol to see if we have a config file
- have_config_file = KconfigCheck('-', '-', 'DEFAULT_INIT', 'is present')
+ # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking
+ have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present')
+
l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'),
- AND(KconfigCheck('cut_attack_surface', 'kspp', 'BPF_JIT', 'is not set'),
- have_config_file))]
+ AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'),
+ have_kconfig))]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
- l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'),
- AND(KconfigCheck('cut_attack_surfice', 'kspp', 'KEXEC_CORE', 'is not set'),
- have_config_file))]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
- l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'),
- AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'),
- have_config_file))]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
- l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'),
+ AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'),
+ have_kconfig))]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'),
+ AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'),
+ have_kconfig))]
+ l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'),
+ have_kconfig))]
# At first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only.
- l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases
+ l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'),
+ have_kconfig))] # radical, but may be useful in some cases
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
projects / kconfig-hardened-check.git / blobdiff