X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=fda5d46986f4f229c3e839f49f2107751005e907;hb=48ff85596d7c1ed707a74844cfac72d736d0c71c;hp=4b5dee6c5dbcb50502ddb5be64b4405745a135c4;hpb=7a85a7fddae52572d2cc3f51b7d2f1696b69b94a;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py old mode 100644 new mode 100755 index 4b5dee6..fda5d46 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -8,13 +8,14 @@ Author: Alexander Popov This module contains knowledge for checks. """ -# pylint: disable=missing-function-docstring,line-too-long,invalid-name +# pylint: disable=missing-function-docstring,line-too-long # pylint: disable=too-many-branches,too-many-statements,too-many-locals -from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND +from typing import List +from .engine import StrOrNone, ChecklistObjType, KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND -def add_kconfig_checks(l, arch): +def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: assert(arch), 'empty arch' # Calling the KconfigCheck class constructor: @@ -64,11 +65,9 @@ def add_kconfig_checks(l, arch): if arch in ('X86_64', 'ARM64', 'ARM'): l += [vmap_stack_is_set] if arch in ('X86_64', 'X86_32'): - l += [KconfigCheck('self_protection', 'defconfig', 'SPECULATION_MITIGATIONS', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')] - l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y') l += [microcode_is_set] # is needed for mitigating CPU bugs @@ -88,16 +87,26 @@ def add_kconfig_checks(l, arch): cpu_sup_intel_not_set)] l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y'), cpu_sup_amd_not_set)] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'CPU_MITIGATIONS', 'y'), + KconfigCheck('self_protection', 'defconfig', 'SPECULATION_MITIGATIONS', 'y'))] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_RETPOLINE', 'y'), + KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y'))] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_RFDS', 'y'), + cpu_sup_intel_not_set)] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_SPECTRE_BHI', 'y'), + cpu_sup_intel_not_set)] if arch in ('ARM64', 'ARM'): l += [KconfigCheck('self_protection', 'defconfig', 'HW_RANDOM_TPM', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'IOMMU_DEFAULT_DMA_STRICT', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set l += [KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')] if arch == 'X86_64': - l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')] - l += [OR(KconfigCheck('self_protection', 'defconfig', 'CPU_SRSO', 'y'), + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_PAGE_TABLE_ISOLATION', 'y'), + KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y'))] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_SRSO', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CPU_SRSO', 'y'), cpu_sup_amd_not_set)] l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] @@ -126,6 +135,11 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')] # 'self_protection', 'kspp' + l += [KconfigCheck('self_protection', 'kspp', 'LIST_HARDENED', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'RANDOM_KMALLOC_CACHES', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'SLAB_MERGE_DEFAULT', 'is not set')] + l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK_ENFORCED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] @@ -152,7 +166,7 @@ def add_kconfig_checks(l, arch): vmap_stack_is_set)] kfence_is_set = KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y') l += [kfence_is_set] - l += [AND(KconfigCheck('self_protection', 'a13xp0p0v', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), + l += [AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', 'is not off'), kfence_is_set)] randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'), KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')) @@ -233,7 +247,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')] l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason? if arch == 'X86_64': - l += [KconfigCheck('self_protection', 'kspp', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation + l += [OR(KconfigCheck('self_protection', 'kspp', 'MITIGATION_SLS', 'y'), + KconfigCheck('self_protection', 'kspp', 'SLS', 'y'))] # vs CVE-2021-26341 in Straight-Line-Speculation l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU_SVM', 'y'), iommu_support_is_set)] l += [AND(KconfigCheck('self_protection', 'kspp', 'AMD_IOMMU_V2', 'y'), @@ -241,21 +256,16 @@ def add_kconfig_checks(l, arch): if arch == 'ARM64': l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'UNWIND_PATCH_PAC_INTO_SCS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic if arch == 'X86_32': - l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'X86_PAE', 'y')] + l += [OR(KconfigCheck('self_protection', 'kspp', 'MITIGATION_PAGE_TABLE_ISOLATION', 'y'), + KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y'))] l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] - # 'self_protection', 'clipos' - l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] - - # 'self_protection', 'a13xp0p0v' - l += [KconfigCheck('self_protection', 'a13xp0p0v', 'LIST_HARDENED', 'y')] - l += [KconfigCheck('self_protection', 'a13xp0p0v', 'RANDOM_KMALLOC_CACHES', 'y')] - # 'security_policy' if arch in ('X86_64', 'ARM64', 'X86_32'): l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')] @@ -267,12 +277,14 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_BOOTPARAM', 'is not set')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DEVELOP', 'is not set')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE - l += [KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SELINUX_DEBUG', 'is not set')] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DEBUG', 'is not set')] l += [OR(KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SELINUX', 'y'), KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_APPARMOR', 'y'), KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SMACK', 'y'), KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_TOMOYO', 'y'))] # one of major LSMs implementing MAC + # N.B. We don't use 'if arch' for the 'cut_attack_surface' checks that require 'is not set'. + # It makes the maintainance easier. These kernel options should be disabled anyway. # 'cut_attack_surface', 'defconfig' l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')] l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')] @@ -304,6 +316,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_MSR', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_TIOCSTI', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODULE_FORCE_LOAD', 'is not set')] l += [modules_not_set] l += [devmem_not_set] l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'), @@ -377,7 +390,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] @@ -386,6 +398,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'AIO', 'is not set')] # l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) + l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'), + KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MAGIC_SYSRQ_DEFAULT_ENABLE', '0x0'))] # 'cut_attack_surface', 'lockdown' l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN @@ -404,7 +418,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'KGDB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'CORESIGHT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'XFS_SUPPORT_V4', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MODULE_FORCE_LOAD', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] @@ -419,10 +432,10 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')] l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX if arch == 'X86_64': - l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')] + l += [KconfigCheck('harden_userspace', 'kspp', 'X86_USER_SHADOW_STACK', 'y')] -def add_cmdline_checks(l, arch): +def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: assert(arch), 'empty arch' # Calling the CmdlineCheck class constructor: @@ -464,6 +477,10 @@ def add_cmdline_checks(l, arch): l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_bhi', 'is not off'), + AND(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_SPECTRE_BHI', 'y'), + CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'spectre_bhi', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set')))] @@ -491,6 +508,10 @@ def add_cmdline_checks(l, arch): l += [OR(CmdlineCheck('self_protection', 'defconfig', 'gather_data_sampling', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), CmdlineCheck('self_protection', 'defconfig', 'gather_data_sampling', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'reg_file_data_sampling', 'is not off'), + AND(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_RFDS', 'y'), + CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'reg_file_data_sampling', 'is not set')))] if arch == 'ARM64': l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), @@ -610,6 +631,7 @@ no_kstrtobool_options = [ 'pti', # See pti_check_boottime_disable() in arch/x86/mm/pti.c 'spectre_v2', # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'spectre_v2_user', # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c + 'spectre_bhi', # See spectre_bhi_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'spec_store_bypass_disable', # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'l1tf', # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c 'mds', # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c @@ -621,6 +643,7 @@ no_kstrtobool_options = [ 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c 'spec_rstack_overflow', # See srso_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'gather_data_sampling', # See gds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'reg_file_data_sampling', # See rfds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'slub_debug', # See setup_slub_debug() in mm/slub.c 'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c 'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c @@ -630,7 +653,7 @@ no_kstrtobool_options = [ ] -def normalize_cmdline_options(option, value): +def normalize_cmdline_options(option: str, value: str) -> str: # Don't normalize the cmdline option values if # the Linux kernel doesn't use kstrtobool() for them if option in no_kstrtobool_options: @@ -646,7 +669,7 @@ def normalize_cmdline_options(option, value): return value -# TODO: draft of security hardening sysctls: +# Ideas of security hardening sysctls: # what about bpf_jit_enable? # vm.mmap_min_addr has a good value # nosmt sysfs control file @@ -657,40 +680,40 @@ def normalize_cmdline_options(option, value): # kernel.warn_limit (think about a proper value) # net.ipv4.tcp_syncookies=1 (?) -def add_sysctl_checks(l, _arch): +def add_sysctl_checks(l: List[ChecklistObjType], _arch: StrOrNone) -> None: # This function may be called with arch=None # Calling the SysctlCheck class constructor: # SysctlCheck(reason, decision, name, expected) - # use an omnipresent config symbol to see if we have a config file - have_config_file = KconfigCheck('-', '-', 'DEFAULT_INIT', 'is present') + # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking + have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present') + l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'), - AND(KconfigCheck('cut_attack_surface', 'kspp', 'BPF_JIT', 'is not set'), - have_config_file))] + AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'), + have_kconfig))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/ - l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'), - AND(KconfigCheck('cut_attack_surfice', 'kspp', 'KEXEC_CORE', 'is not set'), - have_config_file))] l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] + l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')] + l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'), + AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'), + have_kconfig))] l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'), AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'), - have_config_file))] - l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')] - l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0'), - SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', 'is not set'))] + have_kconfig))] l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'), AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'), - have_config_file))] + have_kconfig))] # At first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only. - l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), # radical, but may be useful in some cases + l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'), AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'), - have_config_file))] + have_kconfig))] # radical, but may be useful in some cases l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')] l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]