X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=f9b86d91c1d5d096bfc1e370b051f42c91ebc381;hb=HEAD;hp=42d9407b749e7141d8c1c3dd50091b0020e6ee5f;hpb=d995dd6eab4d14d8400abe16bbf14c3364f99fb6;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 42d9407..be2689e 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -166,14 +166,14 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: vmap_stack_is_set)] kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y') l += [kfence_is_set] - l += [AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), + l += [AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'), kfence_is_set)] randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'), KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')) l += [randstruct_is_set] - l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'), - KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), - randstruct_is_set)] +# l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'), +# KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), +# randstruct_is_set)] # Comment this out for now: KSPP has revoked this recommendation hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') l += [hardened_usercopy_is_set] l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), @@ -424,7 +424,6 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_SERIAL', 'is not set'), KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_DEFAULT_ENABLE', '0x0'))] - # 'harden_userspace' if arch == 'ARM64': l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')] @@ -534,8 +533,9 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')] + l += [CmdlineCheck('self_protection', 'kspp', 'cfi', 'kcfi')] l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'), - AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), + AND(KconfigCheck('self_protection', 'kspp', 'SLAB_MERGE_DEFAULT', 'is not set'), CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'), CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'), @@ -575,7 +575,7 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: # 'self_protection', 'a13xp0p0v' l += [OR(CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not off'), - AND(KconfigCheck('self_protection', 'a13xp0p0v', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), + AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'), CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not set')))] # 'cut_attack_surface', 'defconfig' @@ -677,8 +677,6 @@ def normalize_cmdline_options(option: str, value: str) -> str: # nosmt sysfs control file # vm.mmap_rnd_bits=max (?) # abi.vsyscall32 (any value except 2) -# kernel.oops_limit (think about a proper value) -# kernel.warn_limit (think about a proper value) # net.ipv4.tcp_syncookies=1 (?) def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: @@ -693,6 +691,12 @@ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'), AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'), have_kconfig))] + # Choosing a right value for 'kernel.oops_limit' and 'kernel.warn_limit' is not easy. + # A small value (e.g. 1, which is recommended by KSPP) allows easy DoS. + # A large value (e.g. 10000, which is default 'kernel.oops_limit') may miss the exploit attempt. + # Let's choose 100 as a reasonable compromise. + l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.oops_limit', '100')] + l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.warn_limit', '100')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ @@ -712,7 +716,7 @@ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. - l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.modules_disabled', '1'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'), have_kconfig))] # radical, but may be useful in some cases