X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=9052aaa4f1fa03a616d4360f3dec6c898acec3e2;hb=c6db991b4dc47b19d40640df9824fbbba22bc34d;hp=43a4c648bba53fed54727838f518e6b4ed616d3f;hpb=22728555223c98630180c2f642cc7e369424bd8a;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 43a4c64..9052aaa 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -1,9 +1,7 @@ #!/usr/bin/python3 """ -This tool helps me to check Linux kernel options against -my security hardening preferences for X86_64, ARM64, X86_32, and ARM. -Let the computers do their job! +This tool is for checking the security hardening options of the Linux kernel. Author: Alexander Popov @@ -16,7 +14,7 @@ This module contains knowledge for checks. # kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/) # kernel.kexec_load_disabled=1 # kernel.yama.ptrace_scope=3 -# user.max_user_namespaces=0 +# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 # net.core.bpf_jit_harden=2 @@ -36,6 +34,9 @@ This module contains knowledge for checks. # dev.tty.legacy_tiocsti=0 # vm.mmap_rnd_bits=max (?) # kernel.sysrq=0 +# abi.vsyscall32 (any value except 2) +# kernel.oops_limit (think about a proper value) +# kernel.warn_limit (think about a proper value) # # Think of these boot params: # module.sig_enforce=1 @@ -45,6 +46,7 @@ This module contains knowledge for checks. # intel_iommu=on # amd_iommu=on # efi=disable_early_pci_dma +# cfi= # pylint: disable=missing-function-docstring,line-too-long,invalid-name # pylint: disable=too-many-branches,too-many-statements @@ -113,6 +115,7 @@ def add_kconfig_checks(l, arch): if arch == 'X86_64': l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')] l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'), @@ -165,9 +168,9 @@ def add_kconfig_checks(l, arch): hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') l += [hardened_usercopy_is_set] l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), - hardened_usercopy_is_set)] + hardened_usercopy_is_set)] # usercopy whitelist violations should be prohibited l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'), - hardened_usercopy_is_set)] + hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'), gcc_plugins_support_is_set)] l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'), @@ -485,7 +488,7 @@ def add_cmdline_checks(l, arch): AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'), CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))] else: - l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '1'), + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'on'), CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))] # 'self_protection', 'kspp' @@ -545,6 +548,18 @@ def add_cmdline_checks(l, arch): KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'), CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))] + l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'), + AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2 + if arch == 'X86_32': + l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'), + AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2 # 'cut_attack_surface', 'grsec' # The cmdline checks compatible with the kconfig options disabled by grsecurity... @@ -571,6 +586,13 @@ no_kstrtobool_options = [ 'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'rodata', # See set_debug_rodata() in init/main.c + 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c + 'slub_debug', # See setup_slub_debug() in mm/slub.c + 'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c + 'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c + 'vdso32', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c + 'vdso', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c 'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c ]