X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=46dc6586013724d626bffcec7970276fd60b4c5e;hb=a637a660d0e08637f19a2bfdbfbef5725568c6b4;hp=d8df56fa5df02256fb691a924f75c32ae4175a0f;hpb=e94d14b3232733748ec305d908eda016032c4eb2;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index d8df56f..46dc658 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -12,9 +12,7 @@ # # N.B Hardening command line parameters: # iommu=force (does it help against DMA attacks?) -# slub_debug=FZ (slow) # loadpin.enforce=1 -# debugfs=no-mount (or off if possible) # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -700,10 +698,7 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'), AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), - CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] - l += [OR(CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1'), - AND(KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y'), - CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', 'is not set')))] # ... the end + CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] # ... the end if arch in ('X86_64', 'ARM64', 'X86_32'): l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'), AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'), @@ -711,12 +706,19 @@ def add_cmdline_checks(l, arch): if arch in ('X86_64', 'X86_32'): l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')] + # 'self_protection', 'clipos' + l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')] + # 'cut_attack_surface', 'kspp' if arch == 'X86_64': l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'), CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))] + # 'cut_attack_surface', 'grsec' + # The cmdline checks compatible with the kconfig options disabled by grsecurity... + l += [OR(CmdlineCheck('cut_attack_surface', 'grsec', 'debugfs', 'off'), + KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_FS', 'is not set'))] # ... the end def print_unknown_options(checklist, parsed_options): @@ -860,12 +862,14 @@ def parse_kconfig_file(parsed_options, fname): def normalize_cmdline_options(option, value): - # Handle special cases + # Don't normalize the cmdline option values if + # the Linux kernel doesn't use kstrtobool() for them if option == 'pti': - # Don't normalize the pti value since - # the Linux kernel doesn't use kstrtobool() for pti. # See pti_check_boottime_disable() in linux/arch/x86/mm/pti.c return value + if option == 'debugfs': + # See debugfs_kernel() in fs/debugfs/inode.c + return value # Implement a limited part of the kstrtobool() logic if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):