X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=7324a9eebaece13b9a0f2800651281f30e4f7251;hb=5fbc06faf9bf8703a408e8b91717a9ba3f5aabf8;hp=762014cbde3fc79989a89eed537f3052ee5bf8d3;hpb=dd9448b2206e590cda7c99e31aad4c5b24026211;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 762014c..7324a9e 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -40,8 +40,11 @@ # # Should NOT be set: # nokaslr +# rodata=off +# sysrq_always_enabled # arm64.nobti # arm64.nopauth +# arm64.nomte # # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on @@ -58,11 +61,9 @@ # what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 # net.core.bpf_jit_harden=2 -# # vm.unprivileged_userfaultfd=0 # (at first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only) -# # dev.tty.ldisc_autoload=0 # fs.protected_symlinks=1 # fs.protected_hardlinks=1 @@ -70,6 +71,7 @@ # fs.protected_regular=2 # fs.suid_dumpable=0 # kernel.modules_disabled=1 +# kernel.randomize_va_space = 2 # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring @@ -97,6 +99,10 @@ class OptCheck: self.state = None self.result = None + @property + def type(self): + return None + def check(self): # handle the option presence check if self.expected is None: @@ -126,6 +132,12 @@ class OptCheck: if with_results: print('| {}'.format(self.result), end='') + def json_dump(self, with_results): + dump = [self.name, self.type, self.expected, self.decision, self.reason] + if with_results: + dump.append(self.result) + return dump + class KconfigCheck(OptCheck): def __init__(self, *args, **kwargs): @@ -136,11 +148,11 @@ class KconfigCheck(OptCheck): def type(self): return 'kconfig' - def json_dump(self, with_results): - dump = [self.name, self.type, self.expected, self.decision, self.reason] - if with_results: - dump.append(self.result) - return dump + +class CmdlineCheck(OptCheck): + @property + def type(self): + return 'cmdline' class VersionCheck: @@ -179,7 +191,7 @@ class ComplexOptCheck: sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__)) if len(self.opts) == 1: sys.exit('[!] ERROR: useless {} check'.format(self.__class__.__name__)) - if not isinstance(opts[0], KconfigCheck): + if not isinstance(opts[0], KconfigCheck) and not isinstance(opts[0], CmdlineCheck): sys.exit('[!] ERROR: invalid {} check: {}'.format(self.__class__.__name__, opts)) self.result = None @@ -326,6 +338,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'))] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'), KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'), @@ -372,6 +386,7 @@ def add_kconfig_checks(l, arch): VersionCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 l += [KconfigCheck('self_protection', 'defconfig', 'MITIGATE_SPECTRE_BRANCH_HISTORY', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MODULE_REGION_FULL', 'y')] if arch == 'ARM': l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] @@ -425,8 +440,8 @@ def add_kconfig_checks(l, arch): stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [stackleak_is_set] l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] - l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')] if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')] if arch in ('ARM64', 'ARM'): l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')] @@ -493,11 +508,11 @@ def add_kconfig_checks(l, arch): if arch == 'ARM': l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] - l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'), - KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] + l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') l += [loadpin_is_set] # needs userspace support @@ -585,6 +600,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 + l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62 # 'cut_attack_surface', 'grapheneos' l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] @@ -623,14 +639,13 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger + l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] # 'harden_userspace' if arch in ('X86_64', 'ARM64', 'X86_32'): l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')] if arch == 'ARM': l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')] - if arch == 'ARM64': - l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_MTE', 'y')] if arch in ('ARM', 'X86_32'): l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] if arch in ('X86_64', 'ARM64'): @@ -641,6 +656,14 @@ def add_kconfig_checks(l, arch): # l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging! +def add_cmdline_checks(l, arch): + # Calling the CmdlineCheck class constructor: + # CmdlineCheck(reason, decision, name, expected) + + l += [CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'on')] + # TODO: add other + + def print_unknown_options(checklist, parsed_options): known_options = [] @@ -715,6 +738,8 @@ def print_checklist(mode, checklist, with_results): def populate_simple_opt_with_data(opt, data, data_type): if opt.type == 'complex': sys.exit('[!] ERROR: unexpected ComplexOptCheck {}: {}'.format(opt.name, vars(opt))) + if opt.type not in TYPES_OF_CHECKS: + sys.exit('[!] ERROR: invalid opt type "{}" for {}'.format(opt.type, opt.name)) if data_type not in TYPES_OF_CHECKS: sys.exit('[!] ERROR: invalid data type "{}"'.format(data_type)) @@ -844,6 +869,7 @@ def main(): sys.exit('[!] ERROR: wrong mode "{}" for --print'.format(mode)) arch = args.print add_kconfig_checks(config_checklist, arch) + add_cmdline_checks(config_checklist, arch) if mode != 'json': print('[+] Printing kernel security hardening preferences for {}...'.format(arch)) print_checklist(mode, config_checklist, False)