X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;ds=sidebyside;f=kernel_hardening_checker%2Fchecks.py;h=0a10ae770ff446568e775a4710cefaab4d4212d7;hb=7bb85ef2855e714083f8850db7ec09a119c77d91;hp=56d2f7499368d6ce6ca591eb5de97aaece137e9e;hpb=f72a3f5562590e569ab87f2abd2088c11098c2fe;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 56d2f74..0a10ae7 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -345,7 +345,6 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
-    l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface
 #   l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
 
     # 'cut_attack_surface', 'lockdown'
@@ -376,6 +375,7 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
     if arch in ('ARM', 'X86_32'):
         l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
+    l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')]
     l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX
 
 
@@ -578,21 +578,10 @@ def normalize_cmdline_options(option, value):
 
 
 # TODO: draft of security hardening sysctls:
-#    kernel.yama.ptrace_scope=3
 #    what about bpf_jit_enable?
-#    vm.unprivileged_userfaultfd=0
-#        (at first, it disabled unprivileged userfaultfd,
-#         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
 #    vm.mmap_min_addr has a good value
-#    fs.protected_symlinks=1
-#    fs.protected_hardlinks=1
-#    fs.protected_fifos=2
-#    fs.protected_regular=2
-#    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
-#    kernel.randomize_va_space=2
 #    nosmt sysfs control file
-#    dev.tty.legacy_tiocsti=0
 #    vm.mmap_rnd_bits=max (?)
 #    kernel.sysrq=0
 #    abi.vsyscall32 (any value except 2)
@@ -615,3 +604,15 @@ def add_sysctl_checks(l, arch):
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.yama.ptrace_scope', '3')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
+    l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+          # At first, it disabled unprivileged userfaultfd,
+          # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
+
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_regular', '2')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')]
+    l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')]