X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=3b19ce892e69036761f84f20dddf1900db6c24ff;hb=3b428f9b7b416a90599f7ec0da355a78fbc742fa;hp=f9144f743041b53a18e7e19927e6afafd703c647;hpb=5e9f4868791ced7b39c1ab14b539318eaa93b8d0;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index f9144f7..3b19ce8 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -108,10 +108,14 @@ class OptCheck: class KconfigCheck(OptCheck): + @property + def type(self): + return "kconfig" + def table_print(self, _mode, with_results): - print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='') + print('CONFIG_{:<33}|{:^7}|{:^12}|{:^10}|{:^18}'.format(self.name, self.type, self.expected, self.decision, self.reason), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class VerCheck: @@ -137,7 +141,7 @@ class VerCheck: ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) print('{:<91}'.format(ver_req), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class PresenceCheck: @@ -156,7 +160,7 @@ class PresenceCheck: def table_print(self, _mode, with_results): print('CONFIG_{:<84}'.format(self.name + ' is present'), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class ComplexOptCheck: @@ -172,6 +176,10 @@ class ComplexOptCheck: def name(self): return self.opts[0].name + @property + def type(self): + return self.opts[0].type + @property def expected(self): return self.opts[0].expected @@ -188,7 +196,7 @@ class ComplexOptCheck: if mode == 'verbose': print(' {:87}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') for o in self.opts: print() o.table_print(mode, with_results) @@ -196,7 +204,7 @@ class ComplexOptCheck: o = self.opts[0] o.table_print(mode, False) if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class OR(ComplexOptCheck): @@ -497,46 +505,46 @@ def construct_checklist(l, arch): if arch == 'X86_64': l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none' - # 'cut_attack_surface', 'grsecurity' - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ZSMALLOC_STAT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KPROBE_EVENTS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'UPROBE_EVENTS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FUNCTION_TRACER', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'STACK_TRACER', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HIST_TRIGGERS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BLK_DEV_IO_TRACE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_PAGE_MONITOR', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USELIB', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'CHECKPOINT_RESTORE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USERFAULTFD', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HWPOISON_INJECT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FAIL_FUTEX', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PUNIT_ATOM_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ACPI_CONFIGFS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'EDAC_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DRM_I915_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BCACHE_CLOSURES_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'IO_URING', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCMP', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'RSEQ', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'LATENCYTOP', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')] - l += [AND(KconfigCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set'), - KconfigCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))] + # 'cut_attack_surface', 'grsec' + l += [KconfigCheck('cut_attack_surface', 'grsec', 'ZSMALLOC_STAT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PAGE_OWNER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_KMEMLEAK', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BINFMT_AOUT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'KPROBE_EVENTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'UPROBE_EVENTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsec', 'FUNCTION_TRACER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'STACK_TRACER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'HIST_TRIGGERS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BLK_DEV_IO_TRACE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROC_VMCORE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROC_PAGE_MONITOR', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'USELIB', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'CHECKPOINT_RESTORE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'HWPOISON_INJECT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MEM_SOFT_DIRTY', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DEVPORT', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsec', 'NOTIFIER_ERROR_INJECTION', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'FAIL_FUTEX', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PUNIT_ATOM_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'ACPI_CONFIGFS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'EDAC_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DRM_I915_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BCACHE_CLOSURES_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DVB_C8SECTPFE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MTD_SLRAM', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MTD_PHRAM', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'IO_URING', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'KCMP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'RSEQ', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'LATENCYTOP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'KCOV', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'SUNRPC_DEBUG', 'is not set')] + l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'), + KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))] # 'cut_attack_surface', 'maintainer' l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 @@ -583,19 +591,19 @@ def construct_checklist(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger - # 'userspace_hardening' + # 'harden_userspace' if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [KconfigCheck('userspace_hardening', 'defconfig', 'INTEGRITY', 'y')] + l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')] if arch == 'ARM': - l += [KconfigCheck('userspace_hardening', 'my', 'INTEGRITY', 'y')] + l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')] if arch == 'ARM64': - l += [KconfigCheck('userspace_hardening', 'defconfig', 'ARM64_MTE', 'y')] + l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_MTE', 'y')] if arch in ('ARM', 'X86_32'): - l += [KconfigCheck('userspace_hardening', 'defconfig', 'VMSPLIT_3G', 'y')] + l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] if arch in ('X86_64', 'ARM64'): - l += [KconfigCheck('userspace_hardening', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] + l += [KconfigCheck('harden_userspace', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] if arch in ('X86_32', 'ARM'): - l += [KconfigCheck('userspace_hardening', 'my', 'ARCH_MMAP_RND_BITS', '16')] + l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')] # l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging! @@ -618,7 +626,7 @@ def print_checklist(mode, checklist, with_results): if mode == 'json': opts = [] for o in checklist: - opt = ['CONFIG_'+o.name, o.expected, o.decision, o.reason] + opt = ['CONFIG_'+o.name, o.type, o.expected, o.decision, o.reason] if with_results: opt.append(o.result) opts.append(opt) @@ -630,9 +638,9 @@ def print_checklist(mode, checklist, with_results): if with_results: sep_line_len += 30 print('=' * sep_line_len) - print('{:^45}|{:^13}|{:^10}|{:^20}'.format('kconfig option name', 'desired val', 'decision', 'reason'), end='') + print('{:^40}|{:^7}|{:^12}|{:^10}|{:^18}'.format('option name', 'type', 'desired val', 'decision', 'reason'), end='') if with_results: - print('| {}'.format('check result'), end='') + print('| {}'.format('check result'), end='') print() print('=' * sep_line_len)