X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=f9b86d91c1d5d096bfc1e370b051f42c91ebc381;hb=HEAD;hp=f5048db019f12e92cafa205b0e5a9008f11f3da7;hpb=499b283c62dd894bceef76b4bdeb84b16ff32b32;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index f5048db..be2689e 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -166,14 +166,14 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: vmap_stack_is_set)] kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y') l += [kfence_is_set] - l += [AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), + l += [AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'), kfence_is_set)] randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'), KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')) l += [randstruct_is_set] - l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'), - KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), - randstruct_is_set)] +# l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'), +# KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), +# randstruct_is_set)] # Comment this out for now: KSPP has revoked this recommendation hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') l += [hardened_usercopy_is_set] l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), @@ -390,7 +390,6 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] @@ -399,6 +398,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'AIO', 'is not set')] # l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) + l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'), + KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_DEFAULT_ENABLE', '0x0'))] # 'cut_attack_surface', 'lockdown' l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN @@ -420,7 +421,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] - + l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_SERIAL', 'is not set'), + KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_DEFAULT_ENABLE', '0x0'))] # 'harden_userspace' if arch == 'ARM64': @@ -531,8 +533,9 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')] + l += [CmdlineCheck('self_protection', 'kspp', 'cfi', 'kcfi')] l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'), - AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), + AND(KconfigCheck('self_protection', 'kspp', 'SLAB_MERGE_DEFAULT', 'is not set'), CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'), CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'), @@ -572,7 +575,7 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: # 'self_protection', 'a13xp0p0v' l += [OR(CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not off'), - AND(KconfigCheck('self_protection', 'a13xp0p0v', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), + AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'), CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not set')))] # 'cut_attack_surface', 'defconfig' @@ -673,10 +676,7 @@ def normalize_cmdline_options(option: str, value: str) -> str: # vm.mmap_min_addr has a good value # nosmt sysfs control file # vm.mmap_rnd_bits=max (?) -# kernel.sysrq=0 # abi.vsyscall32 (any value except 2) -# kernel.oops_limit (think about a proper value) -# kernel.warn_limit (think about a proper value) # net.ipv4.tcp_syncookies=1 (?) def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: @@ -691,6 +691,12 @@ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'), AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'), have_kconfig))] + # Choosing a right value for 'kernel.oops_limit' and 'kernel.warn_limit' is not easy. + # A small value (e.g. 1, which is recommended by KSPP) allows easy DoS. + # A large value (e.g. 10000, which is default 'kernel.oops_limit') may miss the exploit attempt. + # Let's choose 100 as a reasonable compromise. + l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.oops_limit', '100')] + l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.warn_limit', '100')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ @@ -710,10 +716,14 @@ def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. - l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.modules_disabled', '1'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'), have_kconfig))] # radical, but may be useful in some cases + l += [OR(SysctlCheck('cut_attack_surface', 'a13xp0p0v', 'kernel.sysrq', '0'), + AND(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'), + have_kconfig))] + l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_fifos', '2')]