Alexander Popov [Tue, 17 Oct 2023 15:53:32 +0000 (18:53 +0300)]
Add the 'kernel.yama.ptrace_scope' check
Alexander Popov [Tue, 17 Oct 2023 15:52:57 +0000 (18:52 +0300)]
Add the 'kernel.kptr_restrict' check
Alexander Popov [Tue, 17 Oct 2023 05:38:51 +0000 (08:38 +0300)]
Improve the slab_common.usercopy_fallback check
Don't require slab_common.usercopy_fallback=0,
since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16
Alexander Popov [Tue, 17 Oct 2023 05:35:00 +0000 (08:35 +0300)]
hardened_usercopy=1 is now officially recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:40:15 +0000 (23:40 +0300)]
Enabling page_alloc.shuffle is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)]
'mitigations=auto,nosmt' is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 05:13:29 +0000 (08:13 +0300)]
Disabling X86_VSYSCALL_EMULATION is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 04:31:36 +0000 (07:31 +0300)]
Use /usr/bin/env in shebangs (#90)
Thanks, @SuperSandro2000
Sandro Jäckel [Thu, 5 Oct 2023 22:41:00 +0000 (00:41 +0200)]
Use /usr/bin/env in shebangs
This is guaranteed to work everything including NixOS
Alexander Popov [Wed, 4 Oct 2023 18:21:21 +0000 (21:21 +0300)]
Drop ZERO_CALL_USED_REGS in favour of backward-edge CFI
This option isn't worth the performance impact.
Refers to #82.
Alexander Popov [Mon, 18 Sep 2023 20:56:21 +0000 (23:56 +0300)]
Update the README
Alexander Popov [Mon, 18 Sep 2023 05:58:44 +0000 (08:58 +0300)]
Refactor the assertion in colorize_result() to improve test coverage
Alexander Popov [Sun, 17 Sep 2023 22:56:10 +0000 (01:56 +0300)]
Update the backup in issues.md
Alexander Popov [Sun, 17 Sep 2023 22:29:39 +0000 (01:29 +0300)]
Rename kconfig-hardened-check into kernel-hardening-checker (#85)
**kconfig-hardened-check** is a tool for checking the security hardening
options of the Linux kernel.
In addition to Kconfig options, it now can check kernel cmdline
arguments and sysctl parameters.
It's time to give this project a new name that describes it better:
**kernel-hardening-checker**.
Alexander Popov [Sun, 10 Sep 2023 11:45:03 +0000 (14:45 +0300)]
Renaming fixes
Alexander Popov [Sat, 9 Sep 2023 20:19:46 +0000 (23:19 +0300)]
Drop default.nix (it contains a wrong utility name anyway)
Alexander Popov [Sat, 9 Sep 2023 20:18:12 +0000 (23:18 +0300)]
kconfig-hardened-check -> kernel-hardening-checker
Alexander Popov [Sun, 17 Sep 2023 16:46:18 +0000 (19:46 +0300)]
test_engine: add test_complex_nested()
AND(AND()), OR(OR()) are not supported intentionally.
Alexander Popov [Sun, 17 Sep 2023 16:42:47 +0000 (19:42 +0300)]
test_engine: improve the output
Alexander Popov [Sat, 16 Sep 2023 18:26:33 +0000 (21:26 +0300)]
test_engine: improve the test_stdout()
(The nested AND/OR should be tested separately, stay tuned)
Alexander Popov [Thu, 14 Sep 2023 21:31:52 +0000 (00:31 +0300)]
test_engine: refactor test_complex_or() and test_complex_and()
Alexander Popov [Wed, 13 Sep 2023 22:07:47 +0000 (01:07 +0300)]
Don't remove ANSI colors, adapt the testcases instead
This rewrites the commit
aa7e1bffebde9d4f1855df93819cea75a5bc4c79.
Refers to #86.
Alexander Popov [Wed, 13 Sep 2023 22:06:19 +0000 (01:06 +0300)]
Add colors to output (#86)
Shows OK in green and FAIL in red
Thanks to @frakman1.
Refers to #81. Needs fixing `test_stdout()` in the unit-test.
Frak [Tue, 12 Sep 2023 15:47:28 +0000 (11:47 -0400)]
Adjust test scripts to scrub ANSI colors from output
Frak [Mon, 11 Sep 2023 22:46:50 +0000 (18:46 -0400)]
Fix pylints and verbose/None case
Frak [Sun, 10 Sep 2023 20:29:51 +0000 (16:29 -0400)]
fix typo
Frak [Sun, 10 Sep 2023 17:40:59 +0000 (13:40 -0400)]
cleanup spaces
Frak [Sat, 9 Sep 2023 21:17:54 +0000 (17:17 -0400)]
cleanup
Frak [Sat, 9 Sep 2023 21:09:18 +0000 (17:09 -0400)]
re-factoring
Frak [Sat, 9 Sep 2023 18:18:39 +0000 (14:18 -0400)]
Add colors for OK and FAIL cases
Alexander Popov [Sun, 3 Sep 2023 20:41:26 +0000 (23:41 +0300)]
Fix arch conditions for some CmdlineChecks
By the way, don't add `if arch` for checks that require 'is not set'
(there is nothing wrong with that).
Alexander Popov [Mon, 28 Aug 2023 11:26:17 +0000 (14:26 +0300)]
Make the functional tests more informative
Drop `> /dev/null` for non-verbose output of the tool.
Alexander Popov [Mon, 28 Aug 2023 11:20:13 +0000 (14:20 +0300)]
Test more wrong combinations of options
Alexander Popov [Mon, 28 Aug 2023 11:02:00 +0000 (14:02 +0300)]
Test checking sysctl separately
Alexander Popov [Sun, 27 Aug 2023 20:31:55 +0000 (23:31 +0300)]
Support separate sysctl checking (without kconfig)
Alexander Popov [Mon, 14 Aug 2023 20:47:09 +0000 (23:47 +0300)]
Improve coverage of the functional test a bit
Alexander Popov [Mon, 14 Aug 2023 18:48:07 +0000 (21:48 +0300)]
Clean .gitignore
Alexander Popov [Mon, 14 Aug 2023 16:42:15 +0000 (19:42 +0300)]
Show git information in the functional test
Alexander Popov [Mon, 14 Aug 2023 15:56:39 +0000 (18:56 +0300)]
Test an invalid sysctl file
Alexander Popov [Mon, 14 Aug 2023 15:56:13 +0000 (18:56 +0300)]
Test an unexpected line in the sysctl file
Alexander Popov [Mon, 14 Aug 2023 15:53:25 +0000 (18:53 +0300)]
Test an unexpected line in the Kconfig file
Alexander Popov [Mon, 14 Aug 2023 15:39:18 +0000 (18:39 +0300)]
Drop `if __name__ == "__main__"` from ./bin/kconfig-hardened-check
It always runs as a main program.
Alexander Popov [Mon, 14 Aug 2023 13:02:21 +0000 (16:02 +0300)]
Turn the warning about unexpected line in Kconfig file into an error
Alexander Popov [Mon, 14 Aug 2023 12:22:34 +0000 (15:22 +0300)]
Update the README (add the --sysctl mode)
Alexander Popov [Sun, 13 Aug 2023 21:22:57 +0000 (00:22 +0300)]
Add the Kconfig file of Fedora 38
Alexander Popov [Sun, 13 Aug 2023 21:08:22 +0000 (00:08 +0300)]
Use example_sysctls.txt in the functional test
This file was made with root privileges, so it has a full list of sysctls.
Alexander Popov [Sun, 13 Aug 2023 20:59:26 +0000 (23:59 +0300)]
Add an example sysctl output file
Alexander Popov [Sun, 13 Aug 2023 19:39:11 +0000 (22:39 +0300)]
Add the / symbol to the sysctl parsing pattern
The GitHub Actions virtual machine has such a sysctl:
fs.binfmt_misc.llvm-14-runtime/binfmt = enabled
This example shows that sysctl names may contain the / symbol.
Alexander Popov [Sun, 13 Aug 2023 17:37:28 +0000 (20:37 +0300)]
Add --sysctl to functional testing
Refers to #65
Alexander Popov [Sun, 13 Aug 2023 17:04:32 +0000 (20:04 +0300)]
Improve checking the combinations of flags in the functional test
Alexander Popov [Sun, 13 Aug 2023 16:54:42 +0000 (19:54 +0300)]
Fix syntax to run on the Woodpecker 1.0.0 CI (part II)
Alexander Popov [Sun, 13 Aug 2023 16:50:42 +0000 (19:50 +0300)]
Fix syntax to run on the Woodpecker 1.0.0 CI
Alexander Popov [Sun, 13 Aug 2023 16:49:08 +0000 (19:49 +0300)]
Report that --print and --generate can't be used together
Alexander Popov [Sun, 13 Aug 2023 16:28:05 +0000 (19:28 +0300)]
Enable sysctl checking
Refers to #65
Alexander Popov [Sun, 23 Jul 2023 21:24:36 +0000 (00:24 +0300)]
Check the kernel.unprivileged_bpf_disabled sysctl
Alexander Popov [Sun, 23 Jul 2023 21:24:06 +0000 (00:24 +0300)]
Check the dev.tty.ldisc_autoload sysctl
Alexander Popov [Sun, 23 Jul 2023 21:23:38 +0000 (00:23 +0300)]
Check the user.max_user_namespaces sysctl
Alexander Popov [Sun, 23 Jul 2023 21:18:49 +0000 (00:18 +0300)]
Check the kernel.kexec_load_disabled sysctl
Alexander Popov [Sun, 23 Jul 2023 21:17:44 +0000 (00:17 +0300)]
Check the kernel.perf_event_paranoid sysctl
Alexander Popov [Sun, 23 Jul 2023 21:15:57 +0000 (00:15 +0300)]
Check the kernel.dmesg_restrict sysctl
Alexander Popov [Sun, 23 Jul 2023 21:14:45 +0000 (00:14 +0300)]
Check the net.core.bpf_jit_harden sysctl
Alexander Popov [Sun, 23 Jul 2023 17:09:05 +0000 (20:09 +0300)]
test_engine: use SysctlCheck in test_value_overriding()
Alexander Popov [Sun, 23 Jul 2023 16:57:28 +0000 (19:57 +0300)]
test_engine: use SysctlCheck in test_stdout()
Alexander Popov [Sun, 23 Jul 2023 16:48:15 +0000 (19:48 +0300)]
test_engine: implement test_simple_sysctl()
Alexander Popov [Sun, 23 Jul 2023 16:02:27 +0000 (19:02 +0300)]
test_engine: support SysctlCheck
Alexander Popov [Sat, 22 Jul 2023 21:44:17 +0000 (00:44 +0300)]
Refactor populate_opt_with_data()
Much better code, no functional changes
Alexander Popov [Sun, 16 Jul 2023 21:15:47 +0000 (00:15 +0300)]
Mute warnings in the JSON mode and improve wording
Alexander Popov [Sun, 16 Jul 2023 21:06:11 +0000 (00:06 +0300)]
Implement parse_sysctl_file()
Refers to #65
Alexander Popov [Sat, 15 Jul 2023 23:08:58 +0000 (02:08 +0300)]
Drop an obsolete error handling test
Alexander Popov [Sat, 15 Jul 2023 22:52:18 +0000 (01:52 +0300)]
Fix the bug in the functional tests
`man 1 sh` says about '-e':
```
The shell does not exit if the command that fails is part of the command list
immediately following a while or until keyword, part of the test following
the if or elif reserved words, part of any command executed in a && or || list
except the command following the final && or ||, any command in a pipeline
but the last, or if the command's return value is being inverted with !.
That's why testing error handling in the functional tests didn't check
the exit status at all :(
Let's fix that.
Example before the fix:
! coverage run -a --branch bin/kconfig-hardened-check -l /proc/cmdline
Example after the fix:
coverage run -a --branch bin/kconfig-hardened-check -l /proc/cmdline && exit 1
Alexander Popov [Sat, 15 Jul 2023 22:45:44 +0000 (01:45 +0300)]
Emit WARNING for the cmdline options that exist multiple times
Don't emit ERROR here. Even GitHub Actions machines have repeated options
in /proc/cmdline.
Also see the comment in cmdline parsing for x86:
https://elixir.bootlin.com/linux/v5.16.7/source/arch/x86/boot/cmdline.c#L21
```
In accordance with standard Linux practice, if this option is repeated,
this returns the last instance on the command line.
```
Alexander Popov [Sat, 15 Jul 2023 19:58:17 +0000 (22:58 +0300)]
Precise the Kconfig parsing
Alexander Popov [Wed, 12 Jul 2023 16:41:09 +0000 (19:41 +0300)]
Get rid of useless regular expressions in detect_compiler()
Alexander Popov [Wed, 12 Jul 2023 16:29:19 +0000 (19:29 +0300)]
Precise the regular expressions in detect_arch() and detect_kernel_version()
And fix the wording in the error message by the way.
Alexander Popov [Wed, 12 Jul 2023 08:11:27 +0000 (11:11 +0300)]
Show error if some cmdline option exists multiple times
Alexander Popov [Sat, 8 Jul 2023 21:18:28 +0000 (00:18 +0300)]
Add the basic infrastructure for checking sysctl
Refers to #65
Alexander Popov [Sat, 8 Jul 2023 20:40:49 +0000 (23:40 +0300)]
Introduce the SysctlCheck class
Refers to #65
Alexander Popov [Tue, 4 Jul 2023 11:20:20 +0000 (14:20 +0300)]
Check disabling XFS_SUPPORT_V4 for cutting attack surface
The XFS V4 format is deprecated:
https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25
Quote:
The V4 filesystem format lacks certain features that are supported
by the V5 format, such as metadata checksumming, strengthened
metadata verification, and the ability to store timestamps past the
year 2038. Because of this, the V4 format is deprecated. All users
should upgrade by backing up their files, reformatting, and restoring
from the backup... To close off an attack surface, say N.
Alexander Popov [Sun, 2 Jul 2023 19:55:36 +0000 (22:55 +0300)]
Print the microarchitecture in --generate mode
The Kconfig fragment should describe the microarchitecture to avoid mistakes.
Alexander Popov [Sun, 25 Jun 2023 08:51:26 +0000 (11:51 +0300)]
Update the README
Alexander Popov [Sun, 25 Jun 2023 08:51:02 +0000 (11:51 +0300)]
Add the info about /proc/cmdline to the usage help
I tested CONFIG_CMDLINE and CONFIG_BOOT_CONFIG mechanisms.
They allow passing additional boot parameters for the Linux kernel.
I see that all boot parameters are collected in /proc/cmdline.
So /proc/cmdline is the only information source that we should check to
analyze the Linux kernel boot parameters.
Alexander Popov [Sun, 18 Jun 2023 23:07:13 +0000 (02:07 +0300)]
setup: fix "The license_file parameter is deprecated"
Use 'license_files' instead.
Alexander Popov [Sun, 18 Jun 2023 22:11:20 +0000 (01:11 +0300)]
setup: Don't use the automatic "find_namespace:" discovery
This automatic discovery doesn't fit to the flat layout of my package
(without the "src" directory).
Instead, let's specify the "packages" explicitly in setup.cfg.
Alexander Popov [Sun, 18 Jun 2023 21:42:53 +0000 (00:42 +0300)]
setup: Fix the warning "Package would be ignored"
The warning:
############################
# Package would be ignored #
############################
Python recognizes 'kconfig_hardened_check.config_files.distros' as an importable package,
but it is not listed in the `packages` configuration of setuptools.
'kconfig_hardened_check.config_files.distros' has been automatically added to the distribution only
because it may contain data files, but this behavior is likely to change
in future versions of setuptools (and therefore is considered deprecated).
Please make sure that 'kconfig_hardened_check.config_files.distros' is included as a package by using
the `packages` configuration field or the proper discovery methods
(for example by using `find_namespace_packages(...)`/`find_namespace:`
instead of `find_packages(...)`/`find:`).
So let's use "find_namespace:" for package directory to include
the package data. More info in the documentation:
https://setuptools.pypa.io/en/latest/userguide/package_discovery.html#finding-namespace-packages
Alexander Popov [Sun, 18 Jun 2023 21:35:10 +0000 (00:35 +0300)]
setup: Drop obsolete zip_safe flag
More info in the documentation:
https://setuptools.pypa.io/en/latest/deprecated/zip_safe.html
And fix style by the way.
Alexander Popov [Sat, 17 Jun 2023 17:15:06 +0000 (20:15 +0300)]
Move the draft of the security hardening sysctls to a proper place
Refers to #65
Alexander Popov [Sat, 17 Jun 2023 15:58:05 +0000 (18:58 +0300)]
Improve normalize_cmdline_options()
Alexander Popov [Mon, 12 Jun 2023 15:28:42 +0000 (18:28 +0300)]
GitHub Actions: decrease the max-parallel to 1 to avoid the codecov rate limit
Alexander Popov [Mon, 12 Jun 2023 14:59:50 +0000 (17:59 +0300)]
Add functional tests for --generate
Refers to #67.
Alexander Popov [Mon, 12 Jun 2023 14:46:25 +0000 (17:46 +0300)]
Update the README
Refers to #67.
Alexander Popov [Mon, 12 Jun 2023 14:40:50 +0000 (17:40 +0300)]
Add a new feature --generate
With this argument the tool generates a Kconfig fragment with the security
hardening options for the selected microarchitecture.
Refers to #67.
This Kconfig fragment can be merged with the existing Linux kernel config:
$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
...
Alexander Popov [Mon, 12 Jun 2023 13:50:54 +0000 (16:50 +0300)]
Refactoring of the argument parsing
Alexander Popov [Mon, 12 Jun 2023 13:26:12 +0000 (16:26 +0300)]
Improve the comments and README (part II)
Alexander Popov [Mon, 12 Jun 2023 12:55:41 +0000 (15:55 +0300)]
Skip normalize_cmdline_options() for the vdso32 and vdso cmdline parameters
See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
Alexander Popov [Mon, 12 Jun 2023 12:45:56 +0000 (15:45 +0300)]
Skip normalize_cmdline_options() for the vsyscall cmdline parameter
See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c
Alexander Popov [Mon, 12 Jun 2023 12:43:05 +0000 (15:43 +0300)]
Skip normalize_cmdline_options() for the iommu cmdline parameter
See iommu_setup() in arch/x86/kernel/pci-dma.c
Alexander Popov [Mon, 12 Jun 2023 12:00:32 +0000 (15:00 +0300)]
Skip normalize_cmdline_options() for the slub_debug cmdline parameter
See setup_slub_debug() in mm/slub.c
Alexander Popov [Mon, 12 Jun 2023 11:37:42 +0000 (14:37 +0300)]
Improve the comments and README
Alexander Popov [Mon, 5 Jun 2023 20:48:34 +0000 (23:48 +0300)]
Skip normalize_cmdline_options() for the rodata cmdline parameter
Also fix the rodata check (change '1' to 'on').
See set_debug_rodata() in init/main.c.
Alexander Popov [Mon, 5 Jun 2023 20:44:42 +0000 (23:44 +0300)]
Skip normalize_cmdline_options() for the ssbd cmdline parameter
See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c