Add the 'fs.protected_regular' check

[kconfig-hardened-check.git] / kernel_hardening_checker / checks.py

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 2d9f8c99ccef311a4c4eed551cbf198ac070c572..84c5c1974632a0dc12fff2a63951c4fd536e84f4 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -478,10 +478,10 @@ def add_cmdline_checks(l, arch):
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'),
              AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'),
                  CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
-    l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'),
-             AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
-                 CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))]
-    # ... the end
+    l += [AND(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set'),
+              KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'))]
+              # don't require slab_common.usercopy_fallback=0,
+              # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
                  AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
@@ -578,17 +578,8 @@ def normalize_cmdline_options(option, value):
 
 
 # TODO: draft of security hardening sysctls:
-#    kernel.kptr_restrict=2 (or 1?)
-#    kernel.yama.ptrace_scope=3
 #    what about bpf_jit_enable?
-#    vm.unprivileged_userfaultfd=0
-#        (at first, it disabled unprivileged userfaultfd,
-#         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
 #    vm.mmap_min_addr has a good value
-#    fs.protected_symlinks=1
-#    fs.protected_hardlinks=1
-#    fs.protected_fifos=2
-#    fs.protected_regular=2
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
 #    kernel.randomize_va_space=2
@@ -615,3 +606,13 @@ def add_sysctl_checks(l, arch):
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+          # At first, it disabled unprivileged userfaultfd,
+          # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]