X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=8e52fd8fc27e98cbaa0af8c4c92ecd35b0408a9f;hb=4d5de9965b33f1eff1e15cb794fe0cfa734325fb;hp=850edd2f1bada62488e27465f9ed5beb11742d85;hpb=9bbea5b5bad45aac84aadf83536e31f9bd5e395e;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 850edd2..8e52fd8 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -16,7 +16,7 @@ This module contains knowledge for checks.
 #    kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
-#    user.max_user_namespaces=0
+#    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
@@ -35,6 +35,8 @@ This module contains knowledge for checks.
 #    nosmt sysfs control file
 #    dev.tty.legacy_tiocsti=0
 #    vm.mmap_rnd_bits=max (?)
+#    kernel.sysrq=0
+#    abi.vsyscall32 (any value except 2)
 #
 # Think of these boot params:
 #    module.sig_enforce=1
@@ -164,9 +166,9 @@ def add_kconfig_checks(l, arch):
     hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
     l += [hardened_usercopy_is_set]
     l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
-              hardened_usercopy_is_set)]
+              hardened_usercopy_is_set)] # usercopy whitelist violations should be prohibited
     l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
-              hardened_usercopy_is_set)]
+              hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
     l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
               gcc_plugins_support_is_set)]
     l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
@@ -287,7 +289,6 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN
-    l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN
@@ -307,8 +308,10 @@ def add_kconfig_checks(l, arch):
              devmem_not_set)] # refers to LOCKDOWN
     l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'),
               KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))]
-    if arch == 'X86_64':
-        l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none'
+    if arch in ('X86_64', 'X86_32'):
+        l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
+              # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32;
+              # on ARM64 this option has different meaning
     if arch == 'ARM':
         l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'),
                  devmem_not_set)] # refers to LOCKDOWN
@@ -367,7 +370,6 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')]
-    l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive)
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0
@@ -377,6 +379,11 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface
 #   l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
+    if arch == 'X86_64':
+        l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
+                 KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))]
+                 # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely,
+                 # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter
 
     # 'cut_attack_surface', 'lockdown'
     l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
@@ -536,8 +543,21 @@ def add_cmdline_checks(l, arch):
     # 'cut_attack_surface', 'kspp'
     if arch == 'X86_64':
         l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
+                 KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
                  AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
                      CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
+        l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+                 AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+                     CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2
+    if arch == 'X86_32':
+        l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'),
+                 AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+                     CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'),
+                     CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2
 
     # 'cut_attack_surface', 'grsec'
     # The cmdline checks compatible with the kconfig options disabled by grsecurity...