X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;ds=inline;f=kernel_hardening_checker%2Fchecks.py;h=7476fde39f8aa2db3b499ab027ce37ade8e057f2;hb=547f6070a95e8253125c7f7efc3efbbb0731a4e1;hp=e99d6a8b6198e790caee9192866930d84265006d;hpb=ea88558523b962cd25229699981f91b9a8c2087b;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index e99d6a8..7476fde 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 """ This tool is for checking the security hardening options of the Linux kernel. @@ -275,6 +275,11 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32; # on ARM64 this option has different meaning + if arch == 'X86_64': + l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'), + KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))] + # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, + # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter if arch == 'ARM': l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN @@ -342,11 +347,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface # l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) - if arch == 'X86_64': - l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'), - KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))] - # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, - # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter # 'cut_attack_surface', 'lockdown' l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN @@ -457,10 +457,11 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))] # 'self_protection', 'kspp' - l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')] - l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] # 'nosmt' by kspp + 'auto' by defconfig + l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] + l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty) l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp + l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')] l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'), AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'), @@ -474,14 +475,13 @@ def add_cmdline_checks(l, arch): AND(CmdlineCheck('self_protection', 'kspp', 'page_poison', '1'), KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'), CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))] - # The cmdline checks compatible with the kconfig recommendations of the KSPP project... l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'), AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'), CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))] - l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'), - AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), - CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] - # ... the end + l += [AND(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set'), + KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'))] + # don't require slab_common.usercopy_fallback=0, + # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16 if arch in ('X86_64', 'ARM64', 'X86_32'): l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'), AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'), @@ -497,7 +497,6 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set'))] # 'self_protection', 'clipos' - l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')] if arch in ('X86_64', 'X86_32'): l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')] @@ -510,7 +509,7 @@ def add_cmdline_checks(l, arch): # 'cut_attack_surface', 'kspp' if arch == 'X86_64': l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'), - KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'), + KconfigCheck('cut_attack_surface', 'kspp', 'X86_VSYSCALL_EMULATION', 'is not set'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'), CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))] l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),