X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=e0caab63e10f6d31e4122e5884fa05170c70e049;hb=3ccd5268b84cd2e27c0e56b4903439d8adbdaa2c;hp=feb36ee12877393180b0ed24e28dabfc5552233c;hpb=0e0aa5f1516aeb4ffd9161d1d2c3479fe8caa39d;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index feb36ee..e0caab6 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -241,6 +241,7 @@ def add_kconfig_checks(l, arch): if arch == 'ARM64': l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'UNWIND_PATCH_PAC_INTO_SCS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic if arch == 'X86_32': l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')] @@ -664,34 +665,33 @@ def add_sysctl_checks(l, _arch): # SysctlCheck(reason, decision, name, expected) # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking - have_config_file = KconfigCheck('-', '-', 'LOCALVERSION', 'is present') + have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present') l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'), - AND(KconfigCheck('cut_attack_surface', 'kspp', 'BPF_JIT', 'is not set'), - have_config_file))] + AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'), + have_kconfig))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ - l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'), - AND(KconfigCheck('cut_attack_surfice', 'kspp', 'KEXEC_CORE', 'is not set'), - have_config_file))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')] + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'), + AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'), + have_kconfig))] l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'), AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'), - have_config_file))] - l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] - l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0'), - SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', 'is not set'))] + have_kconfig))] l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'), AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'), - have_config_file))] + have_kconfig))] # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. - l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), # radical, but may be useful in some cases + l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'), - have_config_file))] + have_kconfig))] # radical, but may be useful in some cases l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]