cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
- modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
+ modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN
# 'self_protection', 'kspp'
l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')]
- l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty)
l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')]
CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))]
# 'cut_attack_surface', 'kspp'
+ l += [CmdlineCheck('cut_attack_surface', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty)
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'),
# TODO: draft of security hardening sysctls:
# what about bpf_jit_enable?
# vm.mmap_min_addr has a good value
-# kernel.modules_disabled=1
# nosmt sysfs control file
-# dev.tty.legacy_tiocsti=0
# vm.mmap_rnd_bits=max (?)
# kernel.sysrq=0
# abi.vsyscall32 (any value except 2)
l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
- l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+ l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
# At first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+ l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases
+
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]
+ l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.yama.ptrace_scope', '3')]