X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=047befffd4ea1208a60bae9db92df78464b79215;hb=100a39e2b01dadd2d27ed805cbe2b4ead7fc8b05;hp=5bf50c856fcba2a4c0ea5bc296764232b6cee8a6;hpb=97325e595e3d38b84d6f973d2e216931083d8fcf;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 5bf50c8..047beff 100755 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -59,6 +59,7 @@ from argparse import ArgumentParser from collections import OrderedDict import re import json +from .__about__ import __version__ # debug_mode enables: # - reporting about unknown kernel options in the config, @@ -130,6 +131,26 @@ class VerCheck: print('| {}'.format(self.result), end='') +class PresenceCheck: + def __init__(self, name): + self.name = name + self.state = None + self.result = None + + def check(self): + if self.state is None: + self.result = 'FAIL: not present' + return False, self.result + else: + self.result = 'OK: is present' + return True, self.result + + def table_print(self, with_results): + print('CONFIG_{:<84}'.format(self.name + ' is present'), end='') + if with_results: + print('| {}'.format(self.result), end='') + + class ComplexOptCheck: def __init__(self, *opts): self.opts = opts @@ -165,7 +186,9 @@ class ComplexOptCheck: o.table_print(with_results) else: o = self.opts[0] - o.table_print(with_results) + o.table_print(False) + if with_results: + print('| {}'.format(self.result), end='') class OR(ComplexOptCheck): @@ -437,6 +460,10 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('DEBUG_FS', 'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface')) + checklist.append(OptCheck('DRM_LEGACY', 'is not set', 'maintainer', 'cut_attack_surface')) + checklist.append(OptCheck('FB', 'is not set', 'maintainer', 'cut_attack_surface')) + checklist.append(OptCheck('VT', 'is not set', 'maintainer', 'cut_attack_surface')) + checklist.append(OptCheck('ACPI_TABLE_UPGRADE', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('X86_IOPL_IOPERM', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('EFI_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN @@ -456,7 +483,7 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('X86_MSR', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN checklist.append(OptCheck('X86_CPUID', 'is not set', 'clipos', 'cut_attack_surface')) checklist.append(AND(OptCheck('LDISC_AUTOLOAD', 'is not set', 'clipos', 'cut_attack_surface'), \ - VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1 + PresenceCheck('LDISC_AUTOLOAD'))) checklist.append(OptCheck('AIO', 'is not set', 'grapheneos', 'cut_attack_surface')) @@ -577,7 +604,8 @@ def main(): config_checklist = [] - parser = ArgumentParser(description='Checks the hardening options in the Linux kernel config') + parser = ArgumentParser(prog='kconfig-hardened-check', + description='Checks the hardening options in the Linux kernel config') parser.add_argument('-p', '--print', choices=supported_archs, help='print hardening preferences for selected architecture') parser.add_argument('-c', '--config', @@ -586,6 +614,7 @@ def main(): help='enable verbose debug mode') parser.add_argument('--json', action='store_true', help='print results in JSON format') + parser.add_argument('--version', action='version', version='%(prog)s ' + __version__) args = parser.parse_args() if args.debug: