cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
- modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
+ modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
# CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32;
# on ARM64 this option has different meaning
+ if arch == 'X86_64':
+ l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'),
+ KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))]
+ # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely,
+ # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter
if arch == 'ARM':
l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
- l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface
# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
- if arch == 'X86_64':
- l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
- KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))]
- # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely,
- # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
if arch in ('ARM', 'X86_32'):
l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
+ l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')]
l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
# 'self_protection', 'kspp'
- l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')]
- l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] # 'nosmt' by kspp + 'auto' by defconfig
+ l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')]
l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
+ l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
AND(CmdlineCheck('self_protection', 'kspp', 'page_poison', '1'),
KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'),
CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))]
- # The cmdline checks compatible with the kconfig recommendations of the KSPP project...
l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'),
CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
- l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'),
- AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))]
- # ... the end
+ l += [AND(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'))]
+ # don't require slab_common.usercopy_fallback=0,
+ # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set'))]
# 'self_protection', 'clipos'
- l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
if arch in ('X86_64', 'X86_32'):
l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))]
# 'cut_attack_surface', 'kspp'
+ l += [CmdlineCheck('cut_attack_surface', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty)
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
- KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
+ KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
# TODO: draft of security hardening sysctls:
-# kernel.kptr_restrict=2 (or 1?)
-# kernel.yama.ptrace_scope=3
# what about bpf_jit_enable?
-# vm.unprivileged_userfaultfd=0
-# (at first, it disabled unprivileged userfaultfd,
-# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
# vm.mmap_min_addr has a good value
-# fs.protected_symlinks=1
-# fs.protected_hardlinks=1
-# fs.protected_fifos=2
-# fs.protected_regular=2
-# fs.suid_dumpable=0
-# kernel.modules_disabled=1
-# kernel.randomize_va_space=2
# nosmt sysfs control file
-# dev.tty.legacy_tiocsti=0
# vm.mmap_rnd_bits=max (?)
# kernel.sysrq=0
# abi.vsyscall32 (any value except 2)
l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+ # At first, it disabled unprivileged userfaultfd,
+ # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+ l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases
+
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.yama.ptrace_scope', '3')]