X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=e30746c9fc0c3af0f4a60ef75a8f8d73b486e7d1;hb=bb1fc8b96945a06841a55fd56b23666fdbdd8b71;hp=850edd2f1bada62488e27465f9ed5beb11742d85;hpb=9bbea5b5bad45aac84aadf83536e31f9bd5e395e;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 850edd2..e30746c 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -1,54 +1,17 @@ #!/usr/bin/python3 """ -This tool helps me to check Linux kernel options against -my security hardening preferences for X86_64, ARM64, X86_32, and ARM. -Let the computers do their job! +This tool is for checking the security hardening options of the Linux kernel. Author: Alexander Popov This module contains knowledge for checks. """ -# N.B. Hardening sysctls: -# kernel.kptr_restrict=2 (or 1?) -# kernel.dmesg_restrict=1 (also see the kconfig option) -# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/) -# kernel.kexec_load_disabled=1 -# kernel.yama.ptrace_scope=3 -# user.max_user_namespaces=0 -# what about bpf_jit_enable? -# kernel.unprivileged_bpf_disabled=1 -# net.core.bpf_jit_harden=2 -# vm.unprivileged_userfaultfd=0 -# (at first, it disabled unprivileged userfaultfd, -# and since v5.11 it enables unprivileged userfaultfd for user-mode only) -# vm.mmap_min_addr has a good value -# dev.tty.ldisc_autoload=0 -# fs.protected_symlinks=1 -# fs.protected_hardlinks=1 -# fs.protected_fifos=2 -# fs.protected_regular=2 -# fs.suid_dumpable=0 -# kernel.modules_disabled=1 -# kernel.randomize_va_space=2 -# nosmt sysfs control file -# dev.tty.legacy_tiocsti=0 -# vm.mmap_rnd_bits=max (?) -# -# Think of these boot params: -# module.sig_enforce=1 -# lockdown=confidentiality -# mce=0 -# nosmt=force -# intel_iommu=on -# amd_iommu=on -# efi=disable_early_pci_dma - # pylint: disable=missing-function-docstring,line-too-long,invalid-name # pylint: disable=too-many-branches,too-many-statements -from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND +from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND def add_kconfig_checks(l, arch): @@ -112,6 +75,7 @@ def add_kconfig_checks(l, arch): if arch == 'X86_64': l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')] l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'), @@ -164,9 +128,9 @@ def add_kconfig_checks(l, arch): hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') l += [hardened_usercopy_is_set] l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), - hardened_usercopy_is_set)] + hardened_usercopy_is_set)] # usercopy whitelist violations should be prohibited l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'), - hardened_usercopy_is_set)] + hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'), gcc_plugins_support_is_set)] l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'), @@ -287,7 +251,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN @@ -307,8 +270,10 @@ def add_kconfig_checks(l, arch): devmem_not_set)] # refers to LOCKDOWN l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'), KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))] - if arch == 'X86_64': - l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none' + if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] + # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32; + # on ARM64 this option has different meaning if arch == 'ARM': l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN @@ -367,7 +332,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 @@ -377,6 +341,11 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface # l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) + if arch == 'X86_64': + l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'), + KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))] + # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, + # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter # 'cut_attack_surface', 'lockdown' l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN @@ -396,6 +365,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] @@ -479,7 +449,7 @@ def add_cmdline_checks(l, arch): AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'), CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))] else: - l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '1'), + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'on'), CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))] # 'self_protection', 'kspp' @@ -536,8 +506,21 @@ def add_cmdline_checks(l, arch): # 'cut_attack_surface', 'kspp' if arch == 'X86_64': l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'), + KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'), CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))] + l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'), + AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2 + if arch == 'X86_32': + l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'), + AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'), + CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2 # 'cut_attack_surface', 'grsec' # The cmdline checks compatible with the kconfig options disabled by grsecurity... @@ -564,6 +547,13 @@ no_kstrtobool_options = [ 'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'rodata', # See set_debug_rodata() in init/main.c + 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c + 'slub_debug', # See setup_slub_debug() in mm/slub.c + 'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c + 'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c + 'vdso32', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c + 'vdso', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c 'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c ] @@ -575,10 +565,48 @@ def normalize_cmdline_options(option, value): return value # Implement a limited part of the kstrtobool() logic - if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'): + if value.lower() in ('1', 'on', 'y', 'yes', 't', 'true'): return '1' - if value in ('0', 'off', 'Off', 'OFF', 'n', 'N', 'no', 'No', 'NO'): + if value.lower() in ('0', 'off', 'n', 'no', 'f', 'false'): return '0' # Preserve unique values return value + + +def add_sysctl_checks(l, arch): +# TODO: draft of security hardening sysctls: +# kernel.kptr_restrict=2 (or 1?) +# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/) +# kernel.kexec_load_disabled=1 +# kernel.yama.ptrace_scope=3 +# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) +# what about bpf_jit_enable? +# kernel.unprivileged_bpf_disabled=1 +# vm.unprivileged_userfaultfd=0 +# (at first, it disabled unprivileged userfaultfd, +# and since v5.11 it enables unprivileged userfaultfd for user-mode only) +# vm.mmap_min_addr has a good value +# dev.tty.ldisc_autoload=0 +# fs.protected_symlinks=1 +# fs.protected_hardlinks=1 +# fs.protected_fifos=2 +# fs.protected_regular=2 +# fs.suid_dumpable=0 +# kernel.modules_disabled=1 +# kernel.randomize_va_space=2 +# nosmt sysfs control file +# dev.tty.legacy_tiocsti=0 +# vm.mmap_rnd_bits=max (?) +# kernel.sysrq=0 +# abi.vsyscall32 (any value except 2) +# kernel.oops_limit (think about a proper value) +# kernel.warn_limit (think about a proper value) +# net.ipv4.tcp_syncookies=1 (?) +# +# Calling the SysctlCheck class constructor: +# SysctlCheck(reason, decision, name, expected) + + l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')] + + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]