X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=94cf9504493fe0634465dfd07f31a78b9f19421e;hb=21cec11eb005e77917a7263a0f164a80deca0e04;hp=6b9db7a85f8a38962d3c791d06e1408632e48e73;hpb=b23112f17deaa07ece6c578516deaca678be7f14;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 6b9db7a..94cf950 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -138,7 +138,8 @@ def add_kconfig_checks(l, arch): VersionCheck((6, 6, 8)))] # DEBUG_CREDENTIALS was dropped in v6.6.8 l += [OR(KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'), AND(cfi_clang_is_set, - cfi_clang_permissive_not_set))] + cfi_clang_permissive_not_set, + cc_is_clang))] l += [OR(KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'), vmap_stack_is_set)] kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y') @@ -206,9 +207,11 @@ def add_kconfig_checks(l, arch): cc_is_gcc)] l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] if arch in ('X86_64', 'ARM64'): - l += [cfi_clang_is_set] + l += [AND(cfi_clang_is_set, + cc_is_clang)] l += [AND(cfi_clang_permissive_not_set, - cfi_clang_is_set)] + cfi_clang_is_set, + cc_is_clang)] if arch in ('X86_64', 'X86_32'): l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')] @@ -392,9 +395,11 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'KGDB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'CORESIGHT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'XFS_SUPPORT_V4', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MODULE_FORCE_LOAD', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] - l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MODULE_FORCE_LOAD', 'is not set')] + # 'harden_userspace' if arch == 'ARM64': @@ -404,6 +409,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')] l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX + if arch == 'X86_64': + l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')] def add_cmdline_checks(l, arch): @@ -572,6 +579,9 @@ def add_cmdline_checks(l, arch): # 'cut_attack_surface', 'a13xp0p0v' l += [CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'sysrq_always_enabled', 'is not set')] + l += [OR(CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'bdev_allow_write_mounted', '0'), + AND(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set'), + CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'bdev_allow_write_mounted', 'is not set')))] if arch == 'X86_64': l += [OR(CmdlineCheck('cut_attack_surface', 'a13xp0p0v', 'ia32_emulation', '0'), KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set'), @@ -646,7 +656,7 @@ def add_sysctl_checks(l, _arch): l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] - l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]