Merge branch 'master' into typing

diff --git a/.github/workflows/engine_unit-test.yml b/.github/workflows/engine_unit-test.yml
index 8357264f06686955e962a5ab674616de7c066182..86120b0fba8a4115f087736cebed4fef912077f6 100644 (file)
--- a/.github/workflows/engine_unit-test.yml
+++ b/.github/workflows/engine_unit-test.yml
@@ -3,12 +3,12 @@ name: engine unit-test
 on:
   push:
     branches: [ master ]
-  pull_request:
-    branches: [ master ]
 
 jobs:
   engine_unit-test:
 
+    if: github.repository == 'a13xp0p0v/kernel-hardening-checker'
+
     runs-on: ubuntu-latest
 
     strategy:

diff --git a/.github/workflows/engine_unit-test_no-coverage.yml b/.github/workflows/engine_unit-test_no-coverage.yml
new file mode 100644 (file)
index 0000000..7f92b48
--- /dev/null
+++ b/.github/workflows/engine_unit-test_no-coverage.yml
@@ -0,0 +1,32 @@
+name: engine unit-test no coverage
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  engine_unit-test_no-coverage:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      max-parallel: 1
+      fail-fast: false
+      matrix:
+        python-version: ['3.12']
+
+    steps:
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Get the source code
+      uses: actions/checkout@v4
+
+    - name: Run unit-tests
+      run: |
+        python -m unittest -v -b

diff --git a/.github/workflows/functional_test.yml b/.github/workflows/functional_test.yml
index b9590eeda6d415736f5a65b68458471df9ee508c..e197bacb6b8f2ce866b7aac0b2e86731d4eb8207 100644 (file)
--- a/.github/workflows/functional_test.yml
+++ b/.github/workflows/functional_test.yml
@@ -3,12 +3,12 @@ name: functional test
 on:
   push:
     branches: [ master ]
-  pull_request:
-    branches: [ master ]
 
 jobs:
   functional_test:
 
+    if: github.repository == 'a13xp0p0v/kernel-hardening-checker'
+
     runs-on: ubuntu-latest
 
     strategy:

diff --git a/.github/workflows/functional_test_no-coverage.yml b/.github/workflows/functional_test_no-coverage.yml
new file mode 100644 (file)
index 0000000..3d02c5a
--- /dev/null
+++ b/.github/workflows/functional_test_no-coverage.yml
@@ -0,0 +1,57 @@
+name: functional test no coverage
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  functional_test_no-coverage:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      max-parallel: 1
+      fail-fast: false
+      matrix:
+        # Current ubuntu-latest (Ubuntu 22.04) provides the following versions of Python:
+        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
+
+    steps:
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install package
+      run: |
+        python -m pip install --upgrade pip
+        echo "Install the package via pip..."
+        pip --verbose install git+https://github.com/a13xp0p0v/kernel-hardening-checker
+        echo "Run the installed tool..."
+        kernel-hardening-checker
+
+    - name: Check all configs with the installed tool
+      run: |
+        echo "Check all configs with the installed tool..."
+        sysctl -a > /tmp/sysctls
+        CONFIG_DIR=`find /opt/hostedtoolcache/Python/ -name config_files`
+        KCONFIGS=`find $CONFIG_DIR -type f | grep -e "\.config" -e "\.gz"`
+        COUNT=0
+        for C in $KCONFIGS
+        do
+                COUNT=$(expr $COUNT + 1)
+                echo -e "\n>>>>> checking kconfig number $COUNT <<<<<"
+                kernel-hardening-checker -c $C -l /proc/cmdline -s /tmp/sysctls
+        done
+        echo -e "\nHave checked $COUNT kconfigs"
+
+    - name: Get source code
+      uses: actions/checkout@v4
+
+    - name: Run the functional tests
+      run: |
+        pip install coverage
+        sh .github/workflows/functional_test.sh

diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py
index 55b7be4cc956a89d6e18d65837664fb810cca231..f4b7525af266163f12b85be854d5ed843165b7de 100644 (file)
--- a/kernel_hardening_checker/__init__.py
+++ b/kernel_hardening_checker/__init__.py
@@ -220,8 +220,8 @@ def parse_sysctl_file(mode, parsed_options, fname):
         sys.exit(f'[!] ERROR: {fname} doesn\'t look like a sysctl output file, please try `sudo sysctl -a > {fname}`')
 
     # let's check the presence of a sysctl option available for root
-    if 'net.core.bpf_jit_harden' not in parsed_options and mode != 'json':
-        print(f'[!] WARNING: sysctl option "net.core.bpf_jit_harden" available for root is not found in {fname}, please try `sudo sysctl -a > {fname}`')
+    if 'kernel.cad_pid' not in parsed_options and mode != 'json':
+        print(f'[!] WARNING: sysctl option "kernel.cad_pid" available for root is not found in {fname}, please try `sudo sysctl -a > {fname}`')
 
 
 def main():

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index a263745720e8f860a933a07eb151676383510cc3..193b374c8ae444628fec525e071134367b5228cb 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -26,6 +26,9 @@ def add_kconfig_checks(l, arch: str):
     efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
     cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
     cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
+    if arch in ('X86_64', 'X86_32'):
+        cpu_sup_amd_not_set = KconfigCheck('-', '-', 'CPU_SUP_AMD', 'is not set')
+        cpu_sup_intel_not_set = KconfigCheck('-', '-', 'CPU_SUP_INTEL', 'is not set')
 
     modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases
     devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
@@ -65,22 +68,26 @@ def add_kconfig_checks(l, arch: str):
         l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')]
-        l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')]
-        l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
         microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')
         l += [microcode_is_set] # is needed for mitigating CPU bugs
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_INTEL', 'y'),
+                 cpu_sup_intel_not_set,
                  AND(microcode_is_set,
                      VersionCheck((6, 6, 0))))] # MICROCODE_INTEL was included in MICROCODE since v6.6
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_AMD', 'y'),
+                 cpu_sup_amd_not_set,
                  AND(microcode_is_set,
                      VersionCheck((6, 6, 0))))] # MICROCODE_AMD was included in MICROCODE since v6.6
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'),
                  VersionCheck((5, 19, 0)))] # X86_SMAP is enabled by default since v5.19
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
                  KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
+        l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y'),
+                 cpu_sup_intel_not_set)]
+        l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y'),
+                 cpu_sup_amd_not_set)]
     if arch in ('ARM64', 'ARM'):
         l += [KconfigCheck('self_protection', 'defconfig', 'HW_RANDOM_TPM', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
@@ -90,7 +97,8 @@ def add_kconfig_checks(l, arch: str):
         l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')]
-        l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SRSO', 'y')]
+        l += [OR(KconfigCheck('self_protection', 'defconfig', 'CPU_SRSO', 'y'),
+                 cpu_sup_amd_not_set)]
         l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
                   iommu_support_is_set)]
         l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
@@ -274,7 +282,8 @@ def add_kconfig_checks(l, arch: str):
         l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'),
                  devmem_not_set)] # refers to LOCKDOWN
     if arch in ('X86_64', 'X86_32'):
-        l += [KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off
+        l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
+                 cpu_sup_intel_not_set)] # tsx=off
 
     # 'cut_attack_surface', 'kspp'
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
@@ -548,9 +557,12 @@ def add_cmdline_checks(l, arch: str):
 
     # 'cut_attack_surface', 'defconfig'
     if arch in ('X86_64', 'X86_32'):
+        tsx_not_set = CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')
         l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'),
                  AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
-                     CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))]
+                     tsx_not_set),
+                 AND(KconfigCheck('-', '-', 'CPU_SUP_INTEL', 'is not set'),
+                     tsx_not_set))]
 
     # 'cut_attack_surface', 'kspp'
     l += [CmdlineCheck('cut_attack_surface', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty)
@@ -651,21 +663,34 @@ def add_sysctl_checks(l, _arch: str):
 # Calling the SysctlCheck class constructor:
 #   SysctlCheck(reason, decision, name, expected)
 
-    l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+    # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking
+    have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present')
+
+    l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'),
+             AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'),
+                 have_kconfig))]
 
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.dmesg_restrict', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.perf_event_paranoid', '3')] # with a custom patch, see https://lwn.net/Articles/696216/
-    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'user.max_user_namespaces', '0')] # may break the upower daemon in Ubuntu
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.ldisc_autoload', '0')]
-    l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kptr_restrict', '2')]
     l += [SysctlCheck('cut_attack_surface', 'kspp', 'dev.tty.legacy_tiocsti', '0')]
-    l += [SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0')]
+    l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.kexec_load_disabled', '1'),
+             AND(KconfigCheck('-', '-', 'KEXEC_CORE', 'is not set'),
+                 have_kconfig))]
+    l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'kernel.unprivileged_bpf_disabled', '1'),
+             AND(KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set'),
+                 have_kconfig))]
+    l += [OR(SysctlCheck('cut_attack_surface', 'kspp', 'vm.unprivileged_userfaultfd', '0'),
+             AND(KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set'),
+                 have_kconfig))]
           # At first, it disabled unprivileged userfaultfd,
           # and since v5.11 it enables unprivileged userfaultfd for user-mode only.
 
-    l += [SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1')] # radical, but may be useful in some cases
+    l += [OR(SysctlCheck('cut_attack_surface', 'clipos', 'kernel.modules_disabled', '1'),
+             AND(KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set'),
+                 have_kconfig))] # radical, but may be useful in some cases
 
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_symlinks', '1')]
     l += [SysctlCheck('harden_userspace', 'kspp', 'fs.protected_hardlinks', '1')]