Move some features to 'cut_attack_surface' category

STRICT_DEVMEM and IO_STRICT_DEVMEM, SECCOMP and SECCOMP_FILTER
are not self protection features. They cut attack surface.

I'm also not sure about SYN_COOKIES. Mark it with a comment.

diff --git a/README.md b/README.md
index 21047ee328000d85e21b93176ebe981662e91956..1ad19fec3172769e7167671387afccb37c3f163c 100644 (file)
--- a/README.md
+++ b/README.md
@@ -51,13 +51,10 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
   CONFIG_SLAB_FREELIST_RANDOM            |      y      | ubuntu18 |  self_protection   ||         OK         
   CONFIG_HARDENED_USERCOPY               |      y      | ubuntu18 |  self_protection   ||         OK         
   CONFIG_FORTIFY_SOURCE                  |      y      | ubuntu18 |  self_protection   ||         OK         
-  CONFIG_STRICT_DEVMEM                   |      y      | ubuntu18 |  self_protection   ||         OK         
-  CONFIG_SYN_COOKIES                     |      y      | ubuntu18 |  self_protection   ||         OK         
-  CONFIG_SECCOMP                         |      y      | ubuntu18 |  self_protection   ||         OK         
-  CONFIG_SECCOMP_FILTER                  |      y      | ubuntu18 |  self_protection   ||         OK         
   CONFIG_MODULE_SIG                      |      y      | ubuntu18 |  self_protection   ||         OK         
   CONFIG_MODULE_SIG_ALL                  |      y      | ubuntu18 |  self_protection   ||         OK         
   CONFIG_MODULE_SIG_SHA512               |      y      | ubuntu18 |  self_protection   ||         OK         
+  CONFIG_SYN_COOKIES                     |      y      | ubuntu18 |  self_protection   ||         OK         
   CONFIG_DEFAULT_MMAP_MIN_ADDR           |    65536    | ubuntu18 |  self_protection   ||         OK         
   CONFIG_BUG_ON_DATA_CORRUPTION          |      y      |   kspp   |  self_protection   || FAIL: "is not set" 
   CONFIG_PAGE_POISONING                  |      y      |   kspp   |  self_protection   || FAIL: "is not set" 
@@ -66,7 +63,6 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
   CONFIG_GCC_PLUGIN_STRUCTLEAK           |      y      |   kspp   |  self_protection   ||  FAIL: not found   
   CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |      y      |   kspp   |  self_protection   ||  FAIL: not found   
   CONFIG_GCC_PLUGIN_LATENT_ENTROPY       |      y      |   kspp   |  self_protection   ||  FAIL: not found   
-  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   |  self_protection   || FAIL: "is not set" 
   CONFIG_REFCOUNT_FULL                   |      y      |   kspp   |  self_protection   || FAIL: "is not set" 
   CONFIG_DEBUG_LIST                      |      y      |   kspp   |  self_protection   || FAIL: "is not set" 
   CONFIG_DEBUG_SG                        |      y      |   kspp   |  self_protection   || FAIL: "is not set" 
@@ -83,10 +79,14 @@ Usage: ./kconfig-hardened-check.py [-p | -c <config_file>]
   CONFIG_SECURITY                        |      y      | ubuntu18 |  security_policy   ||         OK         
   CONFIG_SECURITY_YAMA                   |      y      | ubuntu18 |  security_policy   ||         OK         
   CONFIG_SECURITY_SELINUX_DISABLE        | is not set  | ubuntu18 |  security_policy   ||         OK         
+  CONFIG_SECCOMP                         |      y      | ubuntu18 | cut_attack_surface ||         OK         
+  CONFIG_SECCOMP_FILTER                  |      y      | ubuntu18 | cut_attack_surface ||         OK         
+  CONFIG_STRICT_DEVMEM                   |      y      | ubuntu18 | cut_attack_surface ||         OK         
   CONFIG_ACPI_CUSTOM_METHOD              | is not set  | ubuntu18 | cut_attack_surface ||         OK         
   CONFIG_COMPAT_BRK                      | is not set  | ubuntu18 | cut_attack_surface ||         OK         
   CONFIG_DEVKMEM                         | is not set  | ubuntu18 | cut_attack_surface ||         OK         
   CONFIG_COMPAT_VDSO                     | is not set  | ubuntu18 | cut_attack_surface ||         OK         
+  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface || FAIL: "is not set" 
   CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface || FAIL: "is not set" 
   CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||     FAIL: "m"      
   CONFIG_INET_DIAG                       | is not set  |   kspp   | cut_attack_surface ||     FAIL: "m"      

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 111c1ca279b5e9f0ba78b74500c519f3ffe1b83d..183cbe3f43f61ec97f27adb68d95581cbf219122 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -46,13 +46,10 @@ def construct_opt_list():
     opt_list.append([Opt('SLAB_FREELIST_RANDOM',    'y', 'ubuntu18', 'self_protection'), ''])
     opt_list.append([Opt('HARDENED_USERCOPY',       'y', 'ubuntu18', 'self_protection'), ''])
     opt_list.append([Opt('FORTIFY_SOURCE',          'y', 'ubuntu18', 'self_protection'), ''])
-    opt_list.append([Opt('STRICT_DEVMEM',           'y', 'ubuntu18', 'self_protection'), ''])
-    opt_list.append([Opt('SYN_COOKIES',             'y', 'ubuntu18', 'self_protection'), ''])
-    opt_list.append([Opt('SECCOMP',                 'y', 'ubuntu18', 'self_protection'), ''])
-    opt_list.append([Opt('SECCOMP_FILTER',          'y', 'ubuntu18', 'self_protection'), ''])
     opt_list.append([Opt('MODULE_SIG',              'y', 'ubuntu18', 'self_protection'), ''])
     opt_list.append([Opt('MODULE_SIG_ALL',          'y', 'ubuntu18', 'self_protection'), ''])
     opt_list.append([Opt('MODULE_SIG_SHA512',       'y', 'ubuntu18', 'self_protection'), ''])
+    opt_list.append([Opt('SYN_COOKIES',             'y', 'ubuntu18', 'self_protection'), '']) # another reason?
     opt_list.append([Opt('DEFAULT_MMAP_MIN_ADDR',   '65536', 'ubuntu18', 'self_protection'), ''])
 
     opt_list.append([Opt('BUG_ON_DATA_CORRUPTION',           'y', 'kspp', 'self_protection'), ''])
@@ -62,7 +59,6 @@ def construct_opt_list():
     opt_list.append([Opt('GCC_PLUGIN_STRUCTLEAK',            'y', 'kspp', 'self_protection'), ''])
     opt_list.append([Opt('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL',  'y', 'kspp', 'self_protection'), ''])
     opt_list.append([Opt('GCC_PLUGIN_LATENT_ENTROPY',        'y', 'kspp', 'self_protection'), ''])
-    opt_list.append([Opt('IO_STRICT_DEVMEM',                 'y', 'kspp', 'self_protection'), ''])
     opt_list.append([Opt('REFCOUNT_FULL',                    'y', 'kspp', 'self_protection'), ''])
     opt_list.append([Opt('DEBUG_LIST',                       'y', 'kspp', 'self_protection'), ''])
     opt_list.append([Opt('DEBUG_SG',                         'y', 'kspp', 'self_protection'), ''])
@@ -82,11 +78,15 @@ def construct_opt_list():
     opt_list.append([Opt('SECURITY_YAMA',               'y', 'ubuntu18', 'security_policy'), ''])
     opt_list.append([Opt('SECURITY_SELINUX_DISABLE',    'is not set', 'ubuntu18', 'security_policy'), ''])
 
+    opt_list.append([Opt('SECCOMP',              'y', 'ubuntu18', 'cut_attack_surface'), ''])
+    opt_list.append([Opt('SECCOMP_FILTER',       'y', 'ubuntu18', 'cut_attack_surface'), ''])
+    opt_list.append([Opt('STRICT_DEVMEM',        'y', 'ubuntu18', 'cut_attack_surface'), ''])
     opt_list.append([Opt('ACPI_CUSTOM_METHOD',   'is not set', 'ubuntu18', 'cut_attack_surface'), ''])
     opt_list.append([Opt('COMPAT_BRK',           'is not set', 'ubuntu18', 'cut_attack_surface'), ''])
     opt_list.append([Opt('DEVKMEM',              'is not set', 'ubuntu18', 'cut_attack_surface'), ''])
     opt_list.append([Opt('COMPAT_VDSO',          'is not set', 'ubuntu18', 'cut_attack_surface'), ''])
 
+    opt_list.append([Opt('IO_STRICT_DEVMEM',     'y', 'kspp', 'cut_attack_surface'), ''])
     opt_list.append([Opt('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface'), '']) # 'vsyscall=none'
     opt_list.append([Opt('BINFMT_MISC',          'is not set', 'kspp', 'cut_attack_surface'), ''])
     opt_list.append([Opt('INET_DIAG',            'is not set', 'kspp', 'cut_attack_surface'), ''])