Alexander Popov [Mon, 13 May 2024 15:52:39 +0000 (18:52 +0300)]
Add more typing annotations to test_engine.py
Annotate all functions to enable mypy checking for them.
Alexander Popov [Mon, 13 May 2024 15:16:37 +0000 (18:16 +0300)]
Fix mypy typing warnings for ChecklistObjType
Alexander Popov [Mon, 13 May 2024 15:12:35 +0000 (18:12 +0300)]
Add more precise typing for checklist: List[ChecklistObjType]
Alexander Popov [Mon, 13 May 2024 13:26:42 +0000 (16:26 +0300)]
Fix assertion style
Make assertions look similarly.
Alexander Popov [Sun, 12 May 2024 23:27:07 +0000 (02:27 +0300)]
Fix mypy typing warnings in engine.py
Alexander Popov [Mon, 13 May 2024 12:07:08 +0000 (15:07 +0300)]
Add more typing annotations to engine.py
Annotate all functions to enable mypy checking for them.
Alexander Popov [Mon, 13 May 2024 11:57:26 +0000 (14:57 +0300)]
Move print_unknown_options() to engine.py
That is better for specifying typing.
Alexander Popov [Sun, 12 May 2024 20:13:57 +0000 (23:13 +0300)]
Add more precise typing for OrderedDict
Alexander Popov [Sun, 12 May 2024 16:20:33 +0000 (19:20 +0300)]
Add more typing annotations to checks.py
Annotate all functions to enable mypy checking for them.
Alexander Popov [Sun, 12 May 2024 16:15:23 +0000 (19:15 +0300)]
Make the static typing work for Python v3.8
Kind of hackish :)
Alexander Popov [Sun, 12 May 2024 15:31:23 +0000 (18:31 +0300)]
Fix mypy typing warnings in __init__.py
Alexander Popov [Sun, 12 May 2024 15:29:25 +0000 (18:29 +0300)]
Add more typing annotations to __init__.py
Annotate all functions to enable mypy checking for them.
Alexander Popov [Sun, 12 May 2024 15:21:44 +0000 (18:21 +0300)]
Fix pylint warnings in _open
Alexander Popov [Sun, 12 May 2024 13:44:29 +0000 (16:44 +0300)]
Fix mypy warning in _open()
kernel_hardening_checker/__init__.py:28: error: Incompatible types in assignment (expression has type overloaded function, variable has type overloaded function) [assignment]
Refactor the _open function to fix this and add the type hint by the way.
Alexander Popov [Sun, 12 May 2024 13:28:03 +0000 (16:28 +0300)]
Fix mypy warning in json_dump()
kernel_hardening_checker/engine.py:119: error: "None" has no attribute "startswith" [attr-defined]
The `json_dump()` function printing the results should not be called
for the OptCheck and ComplexOptCheck objects with empty results.
Julien Voisin [Fri, 3 May 2024 12:51:07 +0000 (12:51 +0000)]
Merge branch 'master' into typing
Alexander Popov [Fri, 3 May 2024 11:26:39 +0000 (14:26 +0300)]
CI: Don't run the tests with coverage control for pull requests
Refers to #126
Alexander Popov [Thu, 2 May 2024 13:02:03 +0000 (16:02 +0300)]
CI: Add a functional test without collecting coverage (tired of codecov failures)
Alexander Popov [Thu, 2 May 2024 12:57:46 +0000 (15:57 +0300)]
CI: Fix the name of engine_unit-test_no_coverage (II)
Alexander Popov [Thu, 2 May 2024 12:53:37 +0000 (15:53 +0300)]
CI: Fix the name of engine_unit-test_no_coverage
Alexander Popov [Thu, 2 May 2024 12:50:53 +0000 (15:50 +0300)]
CI: Add a unit-test without collecting coverage (tired of codecov failures)
Alexander Popov [Thu, 2 May 2024 12:19:05 +0000 (15:19 +0300)]
Merge branch 'skip_sysctl'
Refers to #125.
Thanks for the collaboration, @cotequeiroz
Alexander Popov [Thu, 2 May 2024 12:15:44 +0000 (15:15 +0300)]
Style fixes, should be no functional changes
Alexander Popov [Thu, 2 May 2024 12:09:46 +0000 (15:09 +0300)]
Fix the reason and decision of the KEXEC_CORE check
KSPP doesn't recommend to disable it.
Refers to #125
Alexander Popov [Thu, 2 May 2024 11:52:27 +0000 (14:52 +0300)]
Fix the reason and decision of the BPF_JIT check
KSPP doesn't recommend to disable it.
Refers to #125
Alexander Popov [Thu, 2 May 2024 10:30:42 +0000 (13:30 +0300)]
Restore the `dev.tty.legacy_tiocsti` check
The kernel documentations says:
```
Historically the kernel has allowed TIOCSTI, which will push
characters into a controlling TTY. This continues to be used
as a malicious privilege escalation mechanism, and provides no
meaningful real-world utility any more. Its use is considered
a dangerous legacy operation, and can be disabled on most
systems.
```
https://elixir.bootlin.com/linux/v6.8.8/source/drivers/tty/Kconfig#L152
In other words, not having the `dev.tty.legacy_tiocsti` sysctl means that
the dangerous functionality is enabled by default.
Alexander Popov [Thu, 2 May 2024 09:32:58 +0000 (12:32 +0300)]
Use CONFIG_LOCALVERSION instead of CONFIG_DEFAULT_INIT since it's older
Eneas U de Queiroz [Mon, 8 Apr 2024 21:09:56 +0000 (18:09 -0300)]
skip kernel.modules_disabled if MODULES not set
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Fri, 10 Nov 2023 18:21:19 +0000 (15:21 -0300)]
Skip unprivileged_userfaultfd if USERFAULTFD unset
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Fri, 10 Nov 2023 18:02:57 +0000 (15:02 -0300)]
Don't fail if dev.tty.legacy_tiocsti not found
The sysctl is available for Kernel 6.2 and later only.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Wed, 6 Sep 2023 17:20:53 +0000 (14:20 -0300)]
Skip unprivileged_bpf_disabled if BPF_SYSCALL not set
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Wed, 6 Sep 2023 17:20:53 +0000 (14:20 -0300)]
Skip kexec_load_disabled if KEXEC_CORE is not set
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Wed, 6 Sep 2023 17:20:53 +0000 (14:20 -0300)]
Skip bpf_jit_harden sysctl if BPF_JIT is not set
Also, switch the test for root sysctl to the 'kernel.cad_pid' symbol.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Alexander Popov [Tue, 30 Apr 2024 16:53:56 +0000 (19:53 +0300)]
Merge branch 'cpu_depend'
Thanks, @cotequeiroz.
Refers to #123
jvoisin [Mon, 15 Apr 2024 12:49:22 +0000 (14:49 +0200)]
Add some lightweight typing
Alexander Popov [Tue, 30 Apr 2024 08:02:32 +0000 (11:02 +0300)]
Fix the reason and decision for CPU_SUP_INTEL
Alexander Popov [Tue, 30 Apr 2024 07:59:34 +0000 (10:59 +0300)]
Style fixes
Eneas U de Queiroz [Wed, 6 Sep 2023 13:30:27 +0000 (10:30 -0300)]
Skip CPU-dependent checks if CPU is not supported
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Alexander Popov [Sun, 21 Apr 2024 22:39:17 +0000 (01:39 +0300)]
Like grep, colorize the output only if stdout is connected to a terminal
Nice.
With this, if you redirect the output of kernel-hardening-checker to a file,
it doesn't contain the ANSI escape sequences for colorizing.
Alexander Popov [Sun, 21 Apr 2024 00:12:20 +0000 (03:12 +0300)]
Don't use the `type` name for the class methods
There should be no functional changes
Alexander Popov [Thu, 18 Apr 2024 06:27:38 +0000 (09:27 +0300)]
Add the BLK_DEV_WRITE_MOUNTED/bdev_allow_write_mounted check
And fix the check order by the way.
Thanks to @izh1979 for the idea
Alexander Popov [Wed, 17 Apr 2024 17:47:09 +0000 (20:47 +0300)]
CI: codecov-action@v3.1.5 with token doesn't work well, go to v4 (facepalm)
Alexander Popov [Wed, 17 Apr 2024 17:32:59 +0000 (20:32 +0300)]
CI: Return to codecov-action@v3.1.5, but with tokens
codecov-action@v4 is unstable and sometimes gives the error:
```
Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov' failed with exit code 1
```
Alexander Popov [Wed, 17 Apr 2024 17:30:02 +0000 (20:30 +0300)]
CI: Update python versions
Alexander Popov [Wed, 17 Apr 2024 17:08:30 +0000 (20:08 +0300)]
Add the links to the corresponding codecov pages in the README badges
Alexander Popov [Wed, 17 Apr 2024 16:58:53 +0000 (19:58 +0300)]
CI: Move to codecov-action@4
Again, trying to fix the error
```
Codecov: Failed to properly upload: The process '/home/runner/work/_actions/codecov/codecov-action/v3/dist/codecov' failed with exit code 255
```
https://github.com/codecov/codecov-action/issues/598
Alexander Popov [Wed, 17 Apr 2024 16:46:41 +0000 (19:46 +0300)]
CI: Move to codecov-action@v3.1.5
Trying to fix the error
```
Codecov: Failed to properly upload: The process '/home/runner/work/_actions/codecov/codecov-action/v3/dist/codecov' failed with exit code 255
```
https://github.com/codecov/codecov-action/issues/598
Alexander Popov [Wed, 17 Apr 2024 16:27:42 +0000 (19:27 +0300)]
Merge branch 'shstk'
Refers to #114, #120
Thanks, @jvoisin.
Alexander Popov [Wed, 17 Apr 2024 16:12:12 +0000 (19:12 +0300)]
Fix 'decision' for the X86_USER_SHADOW_STACK check
Refers to #114, #120
jvoisin [Mon, 15 Apr 2024 12:05:42 +0000 (14:05 +0200)]
Add a check for X86_USER_SHADOW_STACK
This should close #114
Alexander Popov [Sat, 30 Mar 2024 11:36:34 +0000 (14:36 +0300)]
Add a comment that 'user.max_user_namespaces=0' may break the upower daemon
Alexander Popov [Mon, 25 Mar 2024 19:16:38 +0000 (22:16 +0300)]
Update the README
Alexander Popov [Mon, 25 Mar 2024 18:23:04 +0000 (21:23 +0300)]
Improve the CONFIG_CFI_CLANG checks (add the CONFIG_CC_IS_CLANG dependency)
Refers to #102
Alexander Popov [Mon, 25 Mar 2024 17:40:15 +0000 (20:40 +0300)]
Drop the GCC_PLUGINS check (checking CC_IS_GCC is enough)
Refers to #102
Alexander Popov [Mon, 25 Mar 2024 16:15:23 +0000 (19:15 +0300)]
Add the CONFIG_CC_IS_GCC dependency for gcc plugins
Refers to #102
Alexander Popov [Mon, 25 Mar 2024 07:18:25 +0000 (10:18 +0300)]
Don't require GCC_PLUGINS separately
It's auxiliary for building with gcc and it's not needed for building with
clang.
Refers to #102
Alexander Popov [Sun, 24 Mar 2024 12:52:40 +0000 (15:52 +0300)]
Rename the 'my' check decision to 'a13xp0p0v'
'my' checks look like the checks created by a user of the tool.
Let's fix that and take the responsibility :)
Refers to #50
Alexander Popov [Sun, 17 Mar 2024 22:38:54 +0000 (01:38 +0300)]
Make the table column names and JSON field names fit each other
Refers to #108, #115
Alexander Popov [Sun, 17 Mar 2024 22:16:51 +0000 (01:16 +0300)]
Merge remote-tracking branch 'krishjainx/improve-json-output'
Refers to #108, #115
krishjainx [Sun, 17 Mar 2024 21:43:01 +0000 (17:43 -0400)]
update
krishjainx [Sun, 17 Mar 2024 07:20:27 +0000 (03:20 -0400)]
fix issues
krishjainx [Thu, 14 Mar 2024 10:21:54 +0000 (06:21 -0400)]
Fix tests to work with new JSON schema
krishjainx [Thu, 14 Mar 2024 09:53:19 +0000 (05:53 -0400)]
Improve JSON output format for enhanced processing
Alexander Popov [Mon, 11 Mar 2024 11:00:25 +0000 (14:00 +0300)]
Improve the DEBUG_CREDENTIALS check
Useful DEBUG_CREDENTIALS was dropped in v6.6.8
Refers to #97
Alexander Popov [Sun, 10 Mar 2024 00:00:24 +0000 (03:00 +0300)]
Fix the false result of the REFCOUNT_FULL check for kernels > v5.4.208
Refers to #88, #89
Alexander Popov [Sat, 9 Mar 2024 23:12:35 +0000 (02:12 +0300)]
Have to revert codecov back to v3
Details about the error:
https://github.com/codecov/codecov-action/issues/1292
Alexander Popov [Sat, 9 Mar 2024 22:29:52 +0000 (01:29 +0300)]
Update codecov-action
This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```
Alexander Popov [Sat, 9 Mar 2024 22:22:46 +0000 (01:22 +0300)]
Adapt test_version() in the unittest
Refers to #88, #89, #97
Alexander Popov [Sat, 9 Mar 2024 20:46:51 +0000 (23:46 +0300)]
Check all 3 numbers of the kernel version in VersionCheck
Refers to #88, #89, #97
Alexander Popov [Sat, 9 Mar 2024 21:41:49 +0000 (00:41 +0300)]
Fix the fresh set_state() bug found by unittest
This function should write 'self.state' anyway.
Refers to #88, #89, #97
Alexander Popov [Sat, 9 Mar 2024 21:38:25 +0000 (00:38 +0300)]
Make `python -m unittest` show the whole output
Alexander Popov [Sat, 9 Mar 2024 21:26:12 +0000 (00:26 +0300)]
Update github actions
This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```
Alexander Popov [Sat, 9 Mar 2024 18:53:47 +0000 (21:53 +0300)]
Implement the set_state() method of the check classes
Refers to #88, #89, #97
Alexander Popov [Sat, 9 Mar 2024 18:16:30 +0000 (21:16 +0300)]
Use 3 numbers in the VersionCheck constructor
Refers to #88, #89, #97
Alexander Popov [Sat, 9 Mar 2024 17:27:08 +0000 (20:27 +0300)]
Parse all numbers of the kernel version
Refers to #88, #89, #97
Alexander Popov [Sat, 9 Mar 2024 17:24:07 +0000 (20:24 +0300)]
Skip the kernel version part after '-'
Example:
# Linux/x86_64 6.7.4-200.fc39.x86_64 Kernel Configuration
Refers to #88, #89, #97
Alexander Popov [Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)]
Add the ia32_emulation check
Refers to #87 #112
Alexander Popov [Mon, 19 Feb 2024 12:25:09 +0000 (15:25 +0300)]
Add MODULE_SIG_SHA3_512 as a valid option
Refers to #107
Alexander Popov [Sat, 17 Feb 2024 20:33:33 +0000 (23:33 +0300)]
Make LOCKDOWN_LSM 'self_protection', not 'security_policy'
Alexander Popov [Tue, 16 Jan 2024 22:55:02 +0000 (01:55 +0300)]
Ready for the release 0.6.6
Alexander Popov [Tue, 16 Jan 2024 22:54:40 +0000 (01:54 +0300)]
Update issues.md
Alexander Popov [Tue, 16 Jan 2024 22:30:43 +0000 (01:30 +0300)]
Update the README
Alexander Popov [Tue, 16 Jan 2024 22:20:39 +0000 (01:20 +0300)]
Update the Ubuntu example configs
Alexander Popov [Tue, 16 Jan 2024 21:42:56 +0000 (00:42 +0300)]
Don't print the warning about ARCH_MMAP_RND_BITS in the json mode
Alexander Popov [Tue, 16 Jan 2024 20:53:14 +0000 (23:53 +0300)]
Improve the check of DEBUG_NOTIFIERS feature (part 2)
CFI_PERMISSIVE should be disabled. Reacting with a kernel warning
is not enough.
Thanks to @thestinger for the idea.
Refers to #99.
Alexander Popov [Tue, 16 Jan 2024 20:31:11 +0000 (23:31 +0300)]
Improve the check of DEBUG_NOTIFIERS feature
This is what DEBUG_NOTIFIERS performs (see kernel/notifier.c):
```
#ifdef CONFIG_DEBUG_NOTIFIERS
if (unlikely(!func_ptr_is_kernel_text(nb->notifier_call))) {
WARN(1, "Invalid notifier called!");
nb = next_nb;
continue;
}
#endif
```
CFI can do the same better.
Thanks to @thestinger for the idea.
Refers to #99.
Alexander Popov [Tue, 16 Jan 2024 19:57:47 +0000 (22:57 +0300)]
Improve the check of SCHED_STACK_END_CHECK.
SCHED_STACK_END_CHECK checks the magic value at the end
of the kernel thread stack, and VMAP_STACK adds guard pages near it.
So they do a bit different things, but VMAP_STACK is more reliable.
Thanks to @thestinger for the idea.
Refers to #98.
Alexander Popov [Tue, 16 Jan 2024 17:33:58 +0000 (20:33 +0300)]
Fix style (III)
Use f-strings.
Alexander Popov [Tue, 16 Jan 2024 17:21:57 +0000 (20:21 +0300)]
Fix style (II)
Alexander Popov [Tue, 16 Jan 2024 17:20:41 +0000 (20:20 +0300)]
Fix style (I)
Alexander Popov [Tue, 16 Jan 2024 08:30:39 +0000 (11:30 +0300)]
Disable pylint too-many-locals, it's not useful for add_kconfig_checks()
Alexander Popov [Tue, 16 Jan 2024 08:26:27 +0000 (11:26 +0300)]
Fix pylint W0613: Unused argument 'arch'
Alexander Popov [Tue, 16 Jan 2024 04:24:32 +0000 (07:24 +0300)]
Fix pylint E1101: Instance of 'OptCheck' has no 'type' member
Alexander Popov [Tue, 16 Jan 2024 04:18:40 +0000 (07:18 +0300)]
Fix pylint W0613: Unused argument 'mode'
Alexander Popov [Mon, 15 Jan 2024 05:35:28 +0000 (08:35 +0300)]
Update the NixOS configs
Alexander Popov [Sun, 14 Jan 2024 14:31:50 +0000 (17:31 +0300)]
Don't add options without explicitly recommended values to Kconfig fragments
That's important for the '--generate' mode.
Alexander Popov [Sun, 14 Jan 2024 12:43:08 +0000 (15:43 +0300)]
UBSAN_SANITIZE_ALL is now available for ARM
Alexander Popov [Sat, 30 Dec 2023 20:44:34 +0000 (23:44 +0300)]
Fix the order in the vdso32 check (part II)
Alexander Popov [Sat, 30 Dec 2023 20:41:01 +0000 (23:41 +0300)]
Fix the order in the vdso32 check
Alexander Popov [Sat, 30 Dec 2023 18:30:14 +0000 (21:30 +0300)]
Improve the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
Don't check CONFIG_ARCH_MMAP_RND_BITS if CONFIG_ARCH_MMAP_RND_BITS_MAX
was not found.