From: Alexander Popov Date: Mon, 19 Aug 2024 10:27:46 +0000 (+0300) Subject: Merge branch 'master' into from-jvoisin X-Git-Tag: v0.6.10~19^2~6 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=4c26c6c8a58281b0e01f173955dab84901fc0a9b;p=kconfig-hardened-check.git Merge branch 'master' into from-jvoisin --- 4c26c6c8a58281b0e01f173955dab84901fc0a9b diff --cc README.md index d470d3a,68afd04..c86d5b5 --- a/README.md +++ b/README.md @@@ -24,10 -44,11 +44,11 @@@ Supported microarchitectures The security hardening recommendations are based on: - [KSPP recommended settings][1] + - [Direct feedback from the Linux kernel maintainers][23] - - Last public [grsecurity][3] patch (options which they disable) ++ - Kernel options disabled by [grsecurity][3] to cut attack surface - [CLIP OS kernel configuration][2] - - [grsecurity][3] patch (options which they disable) + - [GrapheneOS][25] recommendations - [SECURITY_LOCKDOWN_LSM][5] patchset - - [Direct feedback from the Linux kernel maintainers][23] I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the relationships between security hardening features and the corresponding vulnerability classes diff --cc kernel_hardening_checker/checks.py index af45c42,5a0a814..11cf397 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@@ -376,31 -393,7 +393,22 @@@ def add_kconfig_checks(l: List[Checklis l += [KconfigCheck('cut_attack_surface', 'grsec', 'SUNRPC_DEBUG', 'is not set')] l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'), KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))] + l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'), + KconfigCheck('cut_attack_surface', 'grsec', 'ARM_PTDUMP', 'is not set'))] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'X86_16BIT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BLK_DEV_UBLK', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'VCAP_KUNIT_TEST', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'SMB_SERVER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'XFS_ONLINE_SCRUB_STATS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BUILD_SALT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'CACHESTAT_SYSCALL', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PREEMPTIRQ_TRACEPOINTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'ENABLE_DEFAULT_TRACERS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROVE_LOCKING', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MPTCP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'TLS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'TIPC', 'is not set')] - # 'cut_attack_surface', 'maintainer' - l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 - l += [KconfigCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38 - l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38 - l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 - l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62 - l += [KconfigCheck('cut_attack_surface', 'maintainer', 'NOUVEAU_LEGACY_CTX_SUPPORT', 'is not set')] - # recommended by Dave Airlie in kernel commit b30a43ac7132cdda - # 'cut_attack_surface', 'clipos' l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack