Alexander Popov [Sat, 15 Jul 2023 19:58:17 +0000 (22:58 +0300)]
Precise the Kconfig parsing
Alexander Popov [Wed, 12 Jul 2023 16:41:09 +0000 (19:41 +0300)]
Get rid of useless regular expressions in detect_compiler()
Alexander Popov [Wed, 12 Jul 2023 16:29:19 +0000 (19:29 +0300)]
Precise the regular expressions in detect_arch() and detect_kernel_version()
And fix the wording in the error message by the way.
Alexander Popov [Wed, 12 Jul 2023 08:11:27 +0000 (11:11 +0300)]
Show error if some cmdline option exists multiple times
Alexander Popov [Sat, 8 Jul 2023 21:18:28 +0000 (00:18 +0300)]
Add the basic infrastructure for checking sysctl
Refers to #65
Alexander Popov [Sat, 8 Jul 2023 20:40:49 +0000 (23:40 +0300)]
Introduce the SysctlCheck class
Refers to #65
Alexander Popov [Tue, 4 Jul 2023 11:20:20 +0000 (14:20 +0300)]
Check disabling XFS_SUPPORT_V4 for cutting attack surface
The XFS V4 format is deprecated:
https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25
Quote:
The V4 filesystem format lacks certain features that are supported
by the V5 format, such as metadata checksumming, strengthened
metadata verification, and the ability to store timestamps past the
year 2038. Because of this, the V4 format is deprecated. All users
should upgrade by backing up their files, reformatting, and restoring
from the backup... To close off an attack surface, say N.
Alexander Popov [Sun, 2 Jul 2023 19:55:36 +0000 (22:55 +0300)]
Print the microarchitecture in --generate mode
The Kconfig fragment should describe the microarchitecture to avoid mistakes.
Alexander Popov [Sun, 25 Jun 2023 08:51:26 +0000 (11:51 +0300)]
Update the README
Alexander Popov [Sun, 25 Jun 2023 08:51:02 +0000 (11:51 +0300)]
Add the info about /proc/cmdline to the usage help
I tested CONFIG_CMDLINE and CONFIG_BOOT_CONFIG mechanisms.
They allow passing additional boot parameters for the Linux kernel.
I see that all boot parameters are collected in /proc/cmdline.
So /proc/cmdline is the only information source that we should check to
analyze the Linux kernel boot parameters.
Alexander Popov [Sun, 18 Jun 2023 23:07:13 +0000 (02:07 +0300)]
setup: fix "The license_file parameter is deprecated"
Use 'license_files' instead.
Alexander Popov [Sun, 18 Jun 2023 22:11:20 +0000 (01:11 +0300)]
setup: Don't use the automatic "find_namespace:" discovery
This automatic discovery doesn't fit to the flat layout of my package
(without the "src" directory).
Instead, let's specify the "packages" explicitly in setup.cfg.
Alexander Popov [Sun, 18 Jun 2023 21:42:53 +0000 (00:42 +0300)]
setup: Fix the warning "Package would be ignored"
The warning:
############################
# Package would be ignored #
############################
Python recognizes 'kconfig_hardened_check.config_files.distros' as an importable package,
but it is not listed in the `packages` configuration of setuptools.
'kconfig_hardened_check.config_files.distros' has been automatically added to the distribution only
because it may contain data files, but this behavior is likely to change
in future versions of setuptools (and therefore is considered deprecated).
Please make sure that 'kconfig_hardened_check.config_files.distros' is included as a package by using
the `packages` configuration field or the proper discovery methods
(for example by using `find_namespace_packages(...)`/`find_namespace:`
instead of `find_packages(...)`/`find:`).
So let's use "find_namespace:" for package directory to include
the package data. More info in the documentation:
https://setuptools.pypa.io/en/latest/userguide/package_discovery.html#finding-namespace-packages
Alexander Popov [Sun, 18 Jun 2023 21:35:10 +0000 (00:35 +0300)]
setup: Drop obsolete zip_safe flag
More info in the documentation:
https://setuptools.pypa.io/en/latest/deprecated/zip_safe.html
And fix style by the way.
Alexander Popov [Sat, 17 Jun 2023 17:15:06 +0000 (20:15 +0300)]
Move the draft of the security hardening sysctls to a proper place
Refers to #65
Alexander Popov [Sat, 17 Jun 2023 15:58:05 +0000 (18:58 +0300)]
Improve normalize_cmdline_options()
Alexander Popov [Mon, 12 Jun 2023 15:28:42 +0000 (18:28 +0300)]
GitHub Actions: decrease the max-parallel to 1 to avoid the codecov rate limit
Alexander Popov [Mon, 12 Jun 2023 14:59:50 +0000 (17:59 +0300)]
Add functional tests for --generate
Refers to #67.
Alexander Popov [Mon, 12 Jun 2023 14:46:25 +0000 (17:46 +0300)]
Update the README
Refers to #67.
Alexander Popov [Mon, 12 Jun 2023 14:40:50 +0000 (17:40 +0300)]
Add a new feature --generate
With this argument the tool generates a Kconfig fragment with the security
hardening options for the selected microarchitecture.
Refers to #67.
This Kconfig fragment can be merged with the existing Linux kernel config:
$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
...
Alexander Popov [Mon, 12 Jun 2023 13:50:54 +0000 (16:50 +0300)]
Refactoring of the argument parsing
Alexander Popov [Mon, 12 Jun 2023 13:26:12 +0000 (16:26 +0300)]
Improve the comments and README (part II)
Alexander Popov [Mon, 12 Jun 2023 12:55:41 +0000 (15:55 +0300)]
Skip normalize_cmdline_options() for the vdso32 and vdso cmdline parameters
See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
Alexander Popov [Mon, 12 Jun 2023 12:45:56 +0000 (15:45 +0300)]
Skip normalize_cmdline_options() for the vsyscall cmdline parameter
See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c
Alexander Popov [Mon, 12 Jun 2023 12:43:05 +0000 (15:43 +0300)]
Skip normalize_cmdline_options() for the iommu cmdline parameter
See iommu_setup() in arch/x86/kernel/pci-dma.c
Alexander Popov [Mon, 12 Jun 2023 12:00:32 +0000 (15:00 +0300)]
Skip normalize_cmdline_options() for the slub_debug cmdline parameter
See setup_slub_debug() in mm/slub.c
Alexander Popov [Mon, 12 Jun 2023 11:37:42 +0000 (14:37 +0300)]
Improve the comments and README
Alexander Popov [Mon, 5 Jun 2023 20:48:34 +0000 (23:48 +0300)]
Skip normalize_cmdline_options() for the rodata cmdline parameter
Also fix the rodata check (change '1' to 'on').
See set_debug_rodata() in init/main.c.
Alexander Popov [Mon, 5 Jun 2023 20:44:42 +0000 (23:44 +0300)]
Skip normalize_cmdline_options() for the ssbd cmdline parameter
See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
Alexander Popov [Sun, 28 May 2023 23:07:50 +0000 (02:07 +0300)]
Add a comment about cfi boot parameter
Alexander Popov [Sun, 28 May 2023 22:56:14 +0000 (01:56 +0300)]
Add the X86_KERNEL_IBT check
Now it's enabled by default for X86_64.
Alexander Popov [Sun, 28 May 2023 22:16:12 +0000 (01:16 +0300)]
Add a comment about `kernel.oops_limit` and `kernel.warn_limit` sysctls
Alexander Popov [Sat, 27 May 2023 07:05:10 +0000 (10:05 +0300)]
Add a comment about `kernel.unprivileged_userns_clone` sysctl in Debian
Alexander Popov [Sat, 27 May 2023 05:50:35 +0000 (08:50 +0300)]
Add the comments about HARDENED_USERCOPY features
Alexander Popov [Tue, 9 May 2023 22:18:14 +0000 (01:18 +0300)]
Fix CI output style and move `pip install coverage` to the proper place
Alexander Popov [Mon, 8 May 2023 19:02:23 +0000 (22:02 +0300)]
Use .github/workflows/functional_test.sh in GitHub Actions (like in Woodpecker-CI)
Now functional_test.sh is a common script used both in GitHub Actions
and Woodpecker-CI.
And also test the forgotten .gz kernel config.
Alexander Popov [Mon, 8 May 2023 17:33:44 +0000 (20:33 +0300)]
Run the functional tests and collect the coverage in Woodpecker-CI
Alexander Popov [Mon, 8 May 2023 17:01:54 +0000 (20:01 +0300)]
Check all configs with the installed tool the functional test in Woodpecker-CI
Alexander Popov [Mon, 8 May 2023 12:27:18 +0000 (15:27 +0300)]
Test the package installation in the functional test in Woodpecker-CI
Alexander Popov [Sun, 7 May 2023 21:21:58 +0000 (00:21 +0300)]
Run the engine unit-test in Woodpecker-CI
Alexander Popov [Sun, 7 May 2023 18:02:01 +0000 (21:02 +0300)]
Create multiple pipelines for Woodpecker-CI at Codeberg
Alexander Popov [Sun, 7 May 2023 17:28:45 +0000 (20:28 +0300)]
Create a configuration template for Codeberg CI (.woodpecker.yml)
Alexander Popov [Mon, 1 May 2023 18:24:09 +0000 (21:24 +0300)]
Add the checks for vdso32 and vdso on X86_64 and X86_32
We need to check them because these kernel cmdline parameters can
override the COMPAT_VDSO kconfig option.
Alexander Popov [Sun, 30 Apr 2023 22:16:03 +0000 (01:16 +0300)]
Improve the COMPAT_VDSO check
CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32.
On ARM64 this option has different meaning (see the mainline commit
7c4791c9efca8c105a86022f7d5532aeaa819125).
Thanks to @izh1979 for the idea
Alexander Popov [Sun, 30 Apr 2023 20:36:55 +0000 (23:36 +0300)]
Improve the vsyscall checks
Disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, and
LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter.
Thanks to @izh1979 for the idea
Alexander Popov [Sun, 30 Apr 2023 19:51:08 +0000 (22:51 +0300)]
Add the comment about kernel.sysrq=0
Alexander Popov [Sat, 22 Apr 2023 23:00:31 +0000 (02:00 +0300)]
Make hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
Use new override_expected_value() for that.
This is needed to avoid wrong recommendations for ARM64 and ARM, where
CONFIG_ARCH_MMAP_RND_BITS_MAX depends on the paging configuration.
Alexander Popov [Sat, 22 Apr 2023 22:42:59 +0000 (01:42 +0300)]
test_engine: add test_value_overriding()
Alexander Popov [Sat, 22 Apr 2023 22:23:38 +0000 (01:23 +0300)]
engine: implement override_expected_value()
Alexander Popov [Sat, 22 Apr 2023 15:51:26 +0000 (18:51 +0300)]
Require one of major LSMs implementing MAC
SELinux, Smack, Tomoyo, and AppArmor implement Mandatory Access Control (MAC).
Thanks to @izh1979 for the idea
Alexander Popov [Sat, 22 Apr 2023 15:03:15 +0000 (18:03 +0300)]
Add the norandmaps check
Thanks to @izh1979 for the idea
Alexander Popov [Sat, 22 Apr 2023 14:50:25 +0000 (17:50 +0300)]
Check that CoreSight Tracing Support is disabled (to cut attack surface)
The CONFIG_CORESIGHT framework provides a kernel interface for the
CoreSight debug and trace drivers for ARM/ARM64. It's better to have it
disabled to cut attack surface.
Alexander Popov [Sun, 9 Apr 2023 23:48:08 +0000 (02:48 +0300)]
Drop the INTEGRITY check
CONFIG_INTEGRITY is useless without enabling IMA/EVM.
We can't require enabling IMA/EVM because there are other
file system integrity mechanisms like DM_VERITY, FS_VERITY, etc.
So there is no reason to check CONFIG_INTEGRITY.
Refers to #75
Alexander Popov [Sun, 9 Apr 2023 22:54:41 +0000 (01:54 +0300)]
Add the DEBUG_ALIGN_RODATA check for ARM
Alexander Popov [Sun, 9 Apr 2023 22:20:13 +0000 (01:20 +0300)]
Add new Android kernel configs from my friends
Also rename old Android configs
Alexander Popov [Sun, 9 Apr 2023 21:43:09 +0000 (00:43 +0300)]
Add the LEGACY_TIOCSTI check
Alexander Popov [Sun, 2 Apr 2023 11:27:58 +0000 (14:27 +0300)]
engine: remove the unused 'type' property from the OptCheck object
Alexander Popov [Sun, 2 Apr 2023 11:22:10 +0000 (14:22 +0300)]
test_engine: rename unit-tests
Alexander Popov [Sun, 2 Apr 2023 11:16:03 +0000 (14:16 +0300)]
test_engine: increase the unit-test coverage
Alexander Popov [Sun, 2 Apr 2023 09:39:49 +0000 (12:39 +0300)]
test_engine: test the non-verbose output mode
Alexander Popov [Sun, 2 Apr 2023 09:27:57 +0000 (12:27 +0300)]
test_engine: support the non-verbose output mode in get_engine_result()
Alexander Popov [Sun, 2 Apr 2023 09:28:47 +0000 (12:28 +0300)]
Fix a pylint warning about f-string
Alexander Popov [Sun, 2 Apr 2023 08:29:38 +0000 (11:29 +0300)]
test_engine: add test_verbose()
Alexander Popov [Sun, 2 Apr 2023 08:29:10 +0000 (11:29 +0300)]
test_engine: implement get_engine_result() for stdout
Alexander Popov [Sun, 2 Apr 2023 08:26:40 +0000 (11:26 +0300)]
test_engine: introduce get_engine_result()
It's refactoring, no functional changes
Alexander Popov [Sun, 26 Mar 2023 17:59:00 +0000 (20:59 +0300)]
test_engine: add test_version()
Alexander Popov [Sun, 26 Mar 2023 17:04:38 +0000 (20:04 +0300)]
test_engine: add missing cases for test_OR() and test_AND()
I mean testing 'is present' and 'is not off' in OR/AND
Alexander Popov [Sun, 26 Mar 2023 16:44:58 +0000 (19:44 +0300)]
test_engine: test 'is not off'
Alexander Popov [Sun, 26 Mar 2023 16:30:52 +0000 (19:30 +0300)]
test_engine: test 'is present'
Alexander Popov [Sun, 26 Mar 2023 16:09:39 +0000 (19:09 +0300)]
test_engine: add a missing case for test_OR()
Alexander Popov [Sun, 26 Mar 2023 15:30:31 +0000 (18:30 +0300)]
Enable functional testing for a gzipped config
Refers to #80
Alexander Popov [Sun, 26 Mar 2023 15:19:55 +0000 (18:19 +0300)]
Inform about supporting *.gz kconfig files
Refers to #80
Alexander Popov [Sun, 26 Mar 2023 15:10:40 +0000 (18:10 +0300)]
Add an example of a gzipped config
Refers to #80
Alexander Popov [Sun, 26 Mar 2023 15:06:37 +0000 (18:06 +0300)]
Merge pull request #80 from nE0sIghT/feature/gzipped-config
Added support for gzipped config (eg. /proc/config.gz)
Yuri Konotopov [Sat, 25 Mar 2023 09:36:30 +0000 (13:36 +0400)]
Added support for gzipped config (eg. /proc/config.gz)
Alexander Popov [Fri, 24 Mar 2023 20:19:02 +0000 (23:19 +0300)]
test_engine: add test_OR() and test_AND()
Alexander Popov [Fri, 24 Mar 2023 20:18:32 +0000 (23:18 +0300)]
test_engine: reorganize single unit-tests
Alexander Popov [Fri, 24 Mar 2023 20:18:06 +0000 (23:18 +0300)]
test_engine: add test_kconfig_not_found()
Alexander Popov [Fri, 24 Mar 2023 20:17:39 +0000 (23:17 +0300)]
Prevent populating the checklist with empty data
Alexander Popov [Fri, 24 Mar 2023 20:17:20 +0000 (23:17 +0300)]
test_engine: add test_cmdline_ok() and test_cmdline_fail()
Alexander Popov [Fri, 24 Mar 2023 20:16:41 +0000 (23:16 +0300)]
test_engine: add test_kconfig_fail()
Alexander Popov [Fri, 24 Mar 2023 20:16:15 +0000 (23:16 +0300)]
Mute some pylint warnings for test_engine.py
Alexander Popov [Fri, 24 Mar 2023 20:15:57 +0000 (23:15 +0300)]
test_engine: add test_kconfig_ok()
Alexander Popov [Fri, 24 Mar 2023 20:15:38 +0000 (23:15 +0300)]
run_engine(): add the 'result' argument and put the JSON output into it
Alexander Popov [Fri, 24 Mar 2023 20:11:49 +0000 (23:11 +0300)]
Fix pylint warnings: add class docstring
Alexander Popov [Fri, 24 Mar 2023 20:11:22 +0000 (23:11 +0300)]
Fix pylint warnings: mark run_engine() with @staticmethod
Alexander Popov [Fri, 24 Mar 2023 20:10:57 +0000 (23:10 +0300)]
Create the run_engine() helper
Alexander Popov [Fri, 24 Mar 2023 20:10:35 +0000 (23:10 +0300)]
Add the first unit-test draft
Alexander Popov [Fri, 24 Mar 2023 20:10:13 +0000 (23:10 +0300)]
Fix style
Alexander Popov [Sat, 11 Mar 2023 08:31:27 +0000 (11:31 +0300)]
Group the badges
Alexander Popov [Fri, 10 Mar 2023 22:07:41 +0000 (01:07 +0300)]
Set the names for the codecov uploads
Alexander Popov [Fri, 10 Mar 2023 21:31:33 +0000 (00:31 +0300)]
Create two separate badges: functional test coverage and unit-test coverage
Alexander Popov [Fri, 10 Mar 2023 21:17:02 +0000 (00:17 +0300)]
Install 'coverage' in the unit-test CI workflow
Alexander Popov [Fri, 10 Mar 2023 21:09:38 +0000 (00:09 +0300)]
Don't fail the unit-test template
That will allow the CI workflow to continue
Alexander Popov [Fri, 10 Mar 2023 21:03:49 +0000 (00:03 +0300)]
Upload the unit-test coverage to codecov (use a separate flag)
Alexander Popov [Fri, 10 Mar 2023 20:39:02 +0000 (23:39 +0300)]
Add the links to the project badges
Alexander Popov [Fri, 10 Mar 2023 20:36:34 +0000 (23:36 +0300)]
Add the unit-test badge
Alexander Popov [Fri, 10 Mar 2023 20:33:24 +0000 (23:33 +0300)]
Rename the workflow file with the functional test
Alexander Popov [Fri, 10 Mar 2023 20:22:47 +0000 (23:22 +0300)]
Create a separate CI workflow for unit-tests
Alexander Popov [Fri, 10 Mar 2023 20:12:58 +0000 (23:12 +0300)]
Add a template for unit-tests