X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=b24b9f8323cb59de2efeada437664fd0f1fa2bf2;hb=9297ada275232cc9ae6d188f55dbf05fc9c31add;hp=d61473655357d8fb223dd07ed4999f5762061b34;hpb=20e0040299ede214143fe229ef8121d48c3f73b5;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index d614736..b24b9f8 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -31,8 +31,9 @@ This module contains knowledge for checks.
 #    fs.protected_regular=2
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
-#    kernel.randomize_va_space = 2
+#    kernel.randomize_va_space=2
 #    nosmt sysfs control file
+#    dev.tty.legacy_tiocsti=0
 #
 # Think of these boot params:
 #    module.sig_enforce=1
@@ -134,6 +135,7 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
+        l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')]
 
     # 'self_protection', 'kspp'
     l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
@@ -251,9 +253,9 @@ def add_kconfig_checks(l, arch):
 
     # 'security_policy'
     if arch in ('X86_64', 'ARM64', 'X86_32'):
-        l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')] # and choose your favourite LSM
+        l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')]
     if arch == 'ARM':
-        l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM
+        l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')]
     l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')]
     l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LANDLOCK', 'y')]
     l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')]
@@ -263,6 +265,10 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
     l += [KconfigCheck('security_policy', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
     l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE
+    l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_SELINUX', 'y'),
+             KconfigCheck('security_policy', 'my', 'SECURITY_APPARMOR', 'y'),
+             KconfigCheck('security_policy', 'my', 'SECURITY_SMACK', 'y'),
+             KconfigCheck('security_policy', 'my', 'SECURITY_TOMOYO', 'y'))] # one of major LSMs implementing MAC
 
     # 'cut_attack_surface', 'defconfig'
     l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
@@ -378,6 +384,7 @@ def add_kconfig_checks(l, arch):
     l += [bpf_syscall_not_set] # refers to LOCKDOWN
 
     # 'cut_attack_surface', 'my'
+    l += [KconfigCheck('cut_attack_surface', 'my', 'LEGACY_TIOCSTI', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
     l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
@@ -387,14 +394,11 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
     l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
 
     # 'harden_userspace'
-    if arch in ('X86_64', 'ARM64', 'X86_32'):
-        l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')]
-    if arch == 'ARM':
-        l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')]
     if arch == 'ARM64':
         l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
         l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
@@ -545,6 +549,9 @@ def add_cmdline_checks(l, arch):
     # 'cut_attack_surface', 'my'
     l += [CmdlineCheck('cut_attack_surface', 'my', 'sysrq_always_enabled', 'is not set')]
 
+    # 'harden_userspace'
+    l += [CmdlineCheck('harden_userspace', 'defconfig', 'norandmaps', 'is not set')]
+
 
 no_kstrtobool_options = [
     'debugfs', # See debugfs_kernel() in fs/debugfs/inode.c