X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=937b3a0c6a72107e2f06d694369c68ff813dd696;hb=103bbe9258fdb6ec0b064bdc53aaf3ba31367de7;hp=986750919d1f0b6738088e4370f0e4067abd9ef8;hpb=4abb78818fc77db635c1545db63a0bf147f4a798;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 9867509..937b3a0 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -41,6 +41,7 @@ # kernel.kexec_load_disabled=1 # kernel.yama.ptrace_scope=3 # user.max_user_namespaces=0 +# what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 # net.core.bpf_jit_harden=2 # @@ -54,6 +55,11 @@ # fs.suid_dumpable=0 # kernel.modules_disabled=1 + +# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring +# pylint: disable=line-too-long,invalid-name,too-many-branches,too-many-statements + + import sys from argparse import ArgumentParser from collections import OrderedDict @@ -61,9 +67,6 @@ import re import json from .__about__ import __version__ -# pylint: disable=line-too-long,bad-whitespace,too-many-branches -# pylint: disable=too-many-statements,global-statement - class OptCheck: def __init__(self, reason, decision, name, expected): @@ -89,7 +92,7 @@ class OptCheck: return True return False - def table_print(self, mode, with_results): + def table_print(self, _mode, with_results): print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='') if with_results: print('| {}'.format(self.result), end='') @@ -98,7 +101,7 @@ class OptCheck: class VerCheck: def __init__(self, ver_expected): self.ver_expected = ver_expected - self.ver = None + self.ver = () self.result = None def check(self): @@ -114,7 +117,7 @@ class VerCheck: self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) return False - def table_print(self, mode, with_results): + def table_print(self, _mode, with_results): ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) print('{:<91}'.format(ver_req), end='') if with_results: @@ -134,7 +137,7 @@ class PresenceCheck: self.result = 'OK: is present' return True - def table_print(self, mode, with_results): + def table_print(self, _mode, with_results): print('CONFIG_{:<84}'.format(self.name + ' is present'), end='') if with_results: print('| {}'.format(self.result), end='') @@ -448,7 +451,7 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION','is not set')] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')] l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'), OptCheck('cut_attack_surface', 'my', 'PTDUMP_DEBUGFS', 'is not set'))] @@ -457,11 +460,8 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] - # 'cut_attack_surface', 'lockdown' - l += [OptCheck('cut_attack_surface', 'lockdown', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN + # 'cut_attack_surface', 'grapheneos' + l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] # 'cut_attack_surface', 'clipos' l += [OptCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] @@ -476,13 +476,17 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] l += [OptCheck('cut_attack_surface', 'clipos', 'IO_URING', 'is not set')] l += [OptCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN + l += [OptCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN + l += [OptCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [AND(OptCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), PresenceCheck('LDISC_AUTOLOAD'))] if arch in ('X86_64', 'X86_32'): l += [OptCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off - # 'cut_attack_surface', 'grapheneos' - l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] + # 'cut_attack_surface', 'lockdown' + l += [OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN + l += [OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN + l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN # 'cut_attack_surface', 'my' l += [OptCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) @@ -490,7 +494,6 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')] l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')] l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'my', 'BPF_JIT', 'is not set')] l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger