X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=26fbd302ffb35b0817765a52163d09cb9887c02d;hb=c60ca62ca02f2f31cd778ccfe66779d106fb85a5;hp=3efaf403b5650066e184f128f0033ebdd64097ce;hpb=d5ebf3f55ae5c711c2e870bd0425f61024f7afa7;p=kconfig-hardened-check.git diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 3efaf40..26fbd30 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -14,7 +14,6 @@ # slub_debug=FZP # slab_nomerge # kernel.kptr_restrict=1 -# lockdown=1 (is it changed?) # page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) # page_poison=1 (if enabled) @@ -140,7 +139,7 @@ class ComplexOptCheck: class OR(ComplexOptCheck): - # self.opts[0] is the option which this OR-check is about. + # self.opts[0] is the option that this OR-check is about. # Use case: # OR(, ) # OR(, ) @@ -162,7 +161,7 @@ class OR(ComplexOptCheck): class AND(ComplexOptCheck): - # self.opts[0] is the option which this AND-check is about. + # self.opts[0] is the option that this AND-check is about. # Use case: AND(, ) # Suboption is not checked if checking of the main_option is failed. @@ -225,7 +224,7 @@ def detect_version(fname): def construct_checklist(checklist, arch): modules_not_set = OptCheck('MODULES', 'is not set', 'kspp', 'cut_attack_surface') - devmem_not_set = OptCheck('DEVMEM', 'is not set', 'kspp', 'cut_attack_surface') # refers to LOCK_DOWN_KERNEL + devmem_not_set = OptCheck('DEVMEM', 'is not set', 'kspp', 'cut_attack_surface') # refers to LOCKDOWN checklist.append(OptCheck('BUG', 'y', 'defconfig', 'self_protection')) checklist.append(OR(OptCheck('STRICT_KERNEL_RWX', 'y', 'defconfig', 'self_protection'), \ @@ -296,7 +295,7 @@ def construct_checklist(checklist, arch): checklist.append(OR(OptCheck('MODULE_SIG_SHA512', 'y', 'kspp', 'self_protection'), \ modules_not_set)) checklist.append(OR(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection'), \ - modules_not_set)) # refers to LOCK_DOWN_KERNEL + modules_not_set)) # refers to LOCKDOWN checklist.append(OR(OptCheck('INIT_STACK_ALL', 'y', 'kspp', 'self_protection'), \ OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection'))) checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON', 'y', 'kspp', 'self_protection')) @@ -327,8 +326,8 @@ def construct_checklist(checklist, arch): checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \ randstruct_is_set)) checklist.append(OptCheck('CONFIG_RANDOM_TRUST_BOOTLOADER', 'is not set', 'clipos', 'self_protection')) + checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection')) if arch == 'X86_64' or arch == 'X86_32': - checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection')) checklist.append(AND(OptCheck('INTEL_IOMMU_SVM', 'y', 'clipos', 'self_protection'), \ iommu_support_is_set)) checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON', 'y', 'clipos', 'self_protection'), \ @@ -347,13 +346,13 @@ def construct_checklist(checklist, arch): if arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy')) loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support checklist.append(loadpin_is_set) checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ loadpin_is_set)) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy')) @@ -361,41 +360,40 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface')) if arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32': checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'defconfig', 'cut_attack_surface'), \ - devmem_not_set)) # refers to LOCK_DOWN_KERNEL + devmem_not_set)) # refers to LOCKDOWN checklist.append(modules_not_set) checklist.append(devmem_not_set) checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \ - devmem_not_set)) # refers to LOCK_DOWN_KERNEL + devmem_not_set)) # refers to LOCKDOWN if arch == 'ARM': checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \ - devmem_not_set)) # refers to LOCK_DOWN_KERNEL - checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL + devmem_not_set)) # refers to LOCKDOWN + if arch == 'X86_64': + checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none' + checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('DEVKMEM', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('DEVKMEM', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('BINFMT_MISC', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('INET_DIAG', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - checklist.append(OptCheck('PROC_KCORE', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL + checklist.append(OptCheck('KEXEC', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('PROC_KCORE', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('LEGACY_PTYS', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - if arch == 'X86_64': - checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none' - checklist.append(OptCheck('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('X86_X32', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface')) - if arch == 'ARM': - checklist.append(OptCheck('OABI_COMPAT', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('X86_X32', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('OABI_COMPAT', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('X86_PTDUMP', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('ZSMALLOC_STAT', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('PAGE_OWNER', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('DEBUG_KMEMLEAK', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('BINFMT_AOUT', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL + checklist.append(OptCheck('KPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('UPROBES', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('GENERIC_TRACER', 'is not set', 'grsecurity', 'cut_attack_surface')) + checklist.append(OptCheck('GENERIC_TRACER', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('PROC_VMCORE', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('PROC_PAGE_MONITOR', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('USELIB', 'is not set', 'grsecurity', 'cut_attack_surface')) @@ -403,15 +401,15 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('USERFAULTFD', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('HWPOISON_INJECT', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('MEM_SOFT_DIRTY', 'is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('DEVPORT', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL + checklist.append(OptCheck('DEVPORT', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface')) - checklist.append(OptCheck('ACPI_TABLE_UPGRADE', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - checklist.append(OptCheck('ACPI_APEI_EINJ', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - checklist.append(OptCheck('PROFILING', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL + checklist.append(OptCheck('ACPI_TABLE_UPGRADE', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('X86_IOPL_IOPERM', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('EFI_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN + checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('STAGING', 'is not set', 'clipos', 'cut_attack_surface')) checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack @@ -419,21 +417,21 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('KALLSYMS', 'is not set', 'clipos', 'cut_attack_surface')) checklist.append(OptCheck('X86_VSYSCALL_EMULATION', 'is not set', 'clipos', 'cut_attack_surface')) checklist.append(OptCheck('MAGIC_SYSRQ', 'is not set', 'clipos', 'cut_attack_surface')) - checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive) + checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN (permissive) checklist.append(OptCheck('USER_NS', 'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0 + checklist.append(OptCheck('X86_MSR', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(AND(OptCheck('LDISC_AUTOLOAD', 'is not set', 'clipos', 'cut_attack_surface'), \ VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1 - checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive) + checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN (permissive) checklist.append(OptCheck('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('IP_DCCP', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('IP_SCTP', 'is not set', 'my', 'cut_attack_surface')) - checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) + checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('VIDEO_VIVID', 'is not set', 'my', 'cut_attack_surface')) - if arch == 'X86_32': - checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface')) + checklist.append(OptCheck('INTEGRITY', 'y', 'defconfig', 'userspace_hardening')) if arch == 'ARM64': checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_hardening')) if arch == 'X86_64' or arch == 'ARM64':