X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=ef5a514a8953250e36ca8b58d2f44a13ff2ef542;hb=04d2b75c9cafe1aa300040b0028e41e1367a539b;hp=92e97afe5279a9495ef070063b1a6c5837cd81fb;hpb=bd87b1d9d03d10039a0e945ae58c67e4183c0039;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 92e97af..ef5a514 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -8,13 +8,14 @@ Author: Alexander Popov This module contains knowledge for checks. """ -# pylint: disable=missing-function-docstring,line-too-long,invalid-name +# pylint: disable=missing-function-docstring,line-too-long # pylint: disable=too-many-branches,too-many-statements,too-many-locals -from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND +from typing import List +from .engine import StrOrNone, ChecklistObjType, KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND -def add_kconfig_checks(l, arch): +def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: assert(arch), 'empty arch' # Calling the KconfigCheck class constructor: @@ -126,6 +127,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')] # 'self_protection', 'kspp' + l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK_ENFORCED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] @@ -422,7 +425,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')] -def add_cmdline_checks(l, arch): +def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: assert(arch), 'empty arch' # Calling the CmdlineCheck class constructor: @@ -561,7 +564,7 @@ def add_cmdline_checks(l, arch): l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'), AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'), tsx_not_set), - AND(KconfigCheck('cut_attack_surface', 'defconfig', 'CPU_SUP_INTEL', 'is not set'), + AND(KconfigCheck('-', '-', 'CPU_SUP_INTEL', 'is not set'), tsx_not_set))] # 'cut_attack_surface', 'kspp' @@ -630,7 +633,7 @@ no_kstrtobool_options = [ ] -def normalize_cmdline_options(option, value): +def normalize_cmdline_options(option: str, value: str) -> str: # Don't normalize the cmdline option values if # the Linux kernel doesn't use kstrtobool() for them if option in no_kstrtobool_options: @@ -646,7 +649,7 @@ def normalize_cmdline_options(option, value): return value -# TODO: draft of security hardening sysctls: +# Ideas of security hardening sysctls: # what about bpf_jit_enable? # vm.mmap_min_addr has a good value # nosmt sysfs control file @@ -657,27 +660,40 @@ def normalize_cmdline_options(option, value): # kernel.warn_limit (think about a proper value) # net.ipv4.tcp_syncookies=1 (?) -def add_sysctl_checks(l, _arch): +def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: # This function may be called with arch=None # Calling the SysctlCheck class constructor: # SysctlCheck(reason, decision, name, expected) - l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')] + # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking + have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present') + + l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'), + AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'), + have_kconfig))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ - l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] - l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')] - l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')] + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'), + AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'), + have_kconfig))] + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'), + AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'), + have_kconfig))] + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'), + AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'), + have_kconfig))] # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. - l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases + l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), + AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'), + have_kconfig))] # radical, but may be useful in some cases l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]