From: Alexander Popov Date: Fri, 10 Jan 2020 14:41:14 +0000 (+0300) Subject: Take some ideas from NixOS/nixpkgs hardened kernel config X-Git-Tag: v0.5.5~49 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=5c67369249f22690efe4c96c54ef6b0bd0496c13;hp=14e30b6913c393d4aa0ed5c70e9905ccdf5f1073;p=kconfig-hardened-check.git Take some ideas from NixOS/nixpkgs hardened kernel config Add CONFIG_SECURITY_SAFESETID (y) and CONFIG_SECURITY_WRITABLE_HOOKS (n). Refers to the pull request #27. --- diff --git a/README.md b/README.md index b0074b6..c5fdfb1 100644 --- a/README.md +++ b/README.md @@ -115,11 +115,13 @@ CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_pr CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection | FAIL: CONFIG_PAGE_POISONING is needed CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" CONFIG_SECURITY | y |defconfig | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS | is not set |defconfig | security_policy | OK CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" CONFIG_SECURITY_LOCKDOWN_LSM | y | my | security_policy | FAIL: not found CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | my | security_policy | FAIL: not found CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | my | security_policy | FAIL: not found +CONFIG_SECURITY_SAFESETID | y | my | security_policy | FAIL: not found CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK @@ -178,7 +180,7 @@ CONFIG_FTRACE | is not set | my | cut_atta CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] config check is finished: 'OK' - 48 / 'FAIL' - 75 +[+] config check is finished: 'OK' - 49 / 'FAIL' - 76 ``` ## kconfig-hardened-check versioning diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index f9f412e..2448717 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -301,11 +301,13 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy')) # and choose your favourite LSM if debug_mode or arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM + checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'defconfig', 'security_policy')) checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy')) # needs userspace support checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy')) + checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface')) checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface'))