X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=69a9fd960c90d8eb521cfa759d6d3c85f2173911;hb=303573e55b87ce142a89d48c0a4d2694cf37cae7;hp=96da656bf14ad4368a0f7fcd0996a7961606dfc3;hpb=0945ed918e4c1278691b491f9dde8b2ba398e401;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 96da656..69a9fd9 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -27,7 +27,7 @@ def add_kconfig_checks(l, arch): cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18 cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18 - modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') + modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN @@ -58,14 +58,23 @@ def add_kconfig_checks(l, arch): if arch in ('X86_64', 'ARM64', 'ARM'): l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')] if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('self_protection', 'defconfig', 'SPECULATION_MITIGATIONS', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')] - l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SRSO', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? + microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y') + l += [microcode_is_set] # is needed for mitigating CPU bugs + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_INTEL', 'y'), + AND(microcode_is_set, + VersionCheck((6, 6))))] # MICROCODE_INTEL was included in MICROCODE since v6.6 + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_AMD', 'y'), + AND(microcode_is_set, + VersionCheck((6, 6))))] # MICROCODE_AMD was included in MICROCODE since v6.6 l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'), VersionCheck((5, 19)))] # X86_SMAP is enabled by default since v5.19 l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'), @@ -117,9 +126,12 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] - l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support + kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y') + l += [kfence_is_set] + l += [AND(KconfigCheck('self_protection', 'my', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), + kfence_is_set)] randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'), KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')) l += [randstruct_is_set] @@ -217,6 +229,9 @@ def add_kconfig_checks(l, arch): # 'self_protection', 'clipos' l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] + # 'self_protection', 'my' + l += [KconfigCheck('self_protection', 'my', 'LIST_HARDENED', 'y')] + # 'security_policy' if arch in ('X86_64', 'ARM64', 'X86_32'): l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')] @@ -231,6 +246,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE + l += [KconfigCheck('security_policy', 'my', 'SECURITY_SELINUX_DEBUG', 'is not set')] l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_SELINUX', 'y'), KconfigCheck('security_policy', 'my', 'SECURITY_APPARMOR', 'y'), KconfigCheck('security_policy', 'my', 'SECURITY_SMACK', 'y'), @@ -265,6 +281,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_MSR', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_TIOCSTI', 'is not set')] l += [modules_not_set] l += [devmem_not_set] l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'), @@ -354,7 +371,6 @@ def add_kconfig_checks(l, arch): l += [bpf_syscall_not_set] # refers to LOCKDOWN # 'cut_attack_surface', 'my' - l += [KconfigCheck('cut_attack_surface', 'my', 'LEGACY_TIOCSTI', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')] @@ -368,6 +384,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'XFS_SUPPORT_V4', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] + l += [KconfigCheck('cut_attack_surface', 'my', 'MODULE_FORCE_LOAD', 'is not set')] # 'harden_userspace' if arch == 'ARM64': @@ -410,6 +427,7 @@ def add_cmdline_checks(l, arch): l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'dis_ucode_ldr', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nomte', 'is not set')] @@ -441,6 +459,12 @@ def add_cmdline_checks(l, arch): l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_rstack_overflow', 'is not off'), + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'spec_rstack_overflow', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'gather_data_sampling', 'is not off'), + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'gather_data_sampling', 'is not set')))] if arch == 'ARM64': l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), @@ -499,6 +523,11 @@ def add_cmdline_checks(l, arch): if arch in ('X86_64', 'X86_32'): l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')] + # 'self_protection', 'my' + l += [OR(CmdlineCheck('self_protection', 'my', 'kfence.sample_interval', 'is not off'), + AND(KconfigCheck('self_protection', 'my', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), + CmdlineCheck('self_protection', 'my', 'kfence.sample_interval', 'is not set')))] + # 'cut_attack_surface', 'defconfig' if arch in ('X86_64', 'X86_32'): l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'), @@ -552,6 +581,8 @@ no_kstrtobool_options = [ 'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'rodata', # See set_debug_rodata() in init/main.c 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c + 'spec_rstack_overflow', # See srso_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'gather_data_sampling', # See gds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'slub_debug', # See setup_slub_debug() in mm/slub.c 'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c 'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c @@ -580,7 +611,6 @@ def normalize_cmdline_options(option, value): # TODO: draft of security hardening sysctls: # what about bpf_jit_enable? # vm.mmap_min_addr has a good value -# kernel.modules_disabled=1 # nosmt sysfs control file # vm.mmap_rnd_bits=max (?) # kernel.sysrq=0 @@ -609,6 +639,8 @@ def add_sysctl_checks(l, arch): # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. + l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases + l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]