kconfig-hardened-check.git
3 weeks agoAdd script to update kconfigs
Willenst [Fri, 25 Oct 2024 17:16:46 +0000 (19:16 +0200)]
Add script to update kconfigs

4 weeks agoDon't crash if `sysctl.conf` has no options for parsing
Alexander Popov [Wed, 16 Oct 2024 13:45:25 +0000 (16:45 +0300)]
Don't crash if `sysctl.conf` has no options for parsing

This fixes the broken Codeberg CI.

5 weeks agoUpdate python versions in CI
Alexander Popov [Sat, 12 Oct 2024 21:24:43 +0000 (00:24 +0300)]
Update python versions in CI

5 weeks agoAdd the SECCOMP_CACHE_DEBUG check
Alexander Popov [Sat, 12 Oct 2024 21:12:11 +0000 (00:12 +0300)]
Add the SECCOMP_CACHE_DEBUG check

Thanks to @izh1979 for the idea.

6 weeks agoMerge branch 'from-flipthewho'
Alexander Popov [Tue, 8 Oct 2024 17:20:44 +0000 (20:20 +0300)]
Merge branch 'from-flipthewho'

Refers to #153, #157

6 weeks agoimplementation of vm.mmap_min_addr check 157/head
flipthewho [Sun, 6 Oct 2024 21:39:05 +0000 (07:39 +1000)]
implementation of vm.mmap_min_addr check

6 weeks agoImprove the output
Alexander Popov [Sun, 6 Oct 2024 23:03:22 +0000 (02:03 +0300)]
Improve the output

6 weeks agoDrop some unneeded assertions
Alexander Popov [Sun, 6 Oct 2024 23:01:52 +0000 (02:01 +0300)]
Drop some unneeded assertions

6 weeks agoUse perform_checking() for separate sysctl checking
Alexander Popov [Sun, 6 Oct 2024 21:59:05 +0000 (00:59 +0300)]
Use perform_checking() for separate sysctl checking

There should be no functional changes.

6 weeks agoAdd perform_checking()
Alexander Popov [Sun, 6 Oct 2024 20:23:38 +0000 (23:23 +0300)]
Add perform_checking()

There should be no functional changes.

6 weeks agoReorder populating the checklist with data
Alexander Popov [Sun, 6 Oct 2024 22:25:11 +0000 (01:25 +0300)]
Reorder populating the checklist with data

First, we should add the version data.

Then we should populate the checklist with the parsed Kconfig data
and do the kconfig refinement.

6 weeks agoDetect the kernel version before the arch
Alexander Popov [Sun, 6 Oct 2024 21:02:23 +0000 (00:02 +0300)]
Detect the kernel version before the arch

6 weeks agoAdd thanks!
Alexander Popov [Sun, 6 Oct 2024 19:20:18 +0000 (22:20 +0300)]
Add thanks!

6 weeks agoImprove the functional test coverage
Alexander Popov [Sun, 6 Oct 2024 19:15:21 +0000 (22:15 +0300)]
Improve the functional test coverage

6 weeks agoFix the sysctl.conf test at github
Alexander Popov [Sun, 6 Oct 2024 18:36:55 +0000 (21:36 +0300)]
Fix the sysctl.conf test at github

6 weeks agoImprove and reorder the functional tests
Alexander Popov [Sun, 6 Oct 2024 17:46:16 +0000 (20:46 +0300)]
Improve and reorder the functional tests

6 weeks agoDrop some duplicated code (thanks to the coverage report)
Alexander Popov [Sun, 6 Oct 2024 17:42:32 +0000 (20:42 +0300)]
Drop some duplicated code (thanks to the coverage report)

6 weeks agoHandle empty files properly
Alexander Popov [Sun, 6 Oct 2024 17:29:22 +0000 (20:29 +0300)]
Handle empty files properly

6 weeks agoengine: Improve the object oriented model
Alexander Popov [Sun, 6 Oct 2024 17:09:42 +0000 (20:09 +0300)]
engine: Improve the object oriented model

7 weeks agoMerge branch 'from-flipthewho'
Alexander Popov [Thu, 3 Oct 2024 08:53:14 +0000 (11:53 +0300)]
Merge branch 'from-flipthewho'

Refers to #158, #161

7 weeks agostyle fix
Alexander Popov [Thu, 3 Oct 2024 08:52:43 +0000 (11:52 +0300)]
style fix

8 weeks agoimplementation of detect_arch_sysctl() 161/head
flipthewho [Thu, 26 Sep 2024 07:59:15 +0000 (17:59 +1000)]
implementation of detect_arch_sysctl()

2 months agoMerge branch 'from-flipthewho-1'
Alexander Popov [Tue, 10 Sep 2024 19:23:19 +0000 (22:23 +0300)]
Merge branch 'from-flipthewho-1'

Refers to #149, #156

2 months agoStyle fixes 156/head
Alexander Popov [Tue, 10 Sep 2024 16:32:55 +0000 (19:32 +0300)]
Style fixes

2 months agoimplementation of `CONFIG_CFI_AUTO_DEFAULT`
flipthewho [Mon, 9 Sep 2024 05:58:15 +0000 (15:58 +1000)]
implementation of `CONFIG_CFI_AUTO_DEFAULT`

2 months agoMerge branch 'sysctl-fixes'
Alexander Popov [Wed, 4 Sep 2024 14:26:23 +0000 (17:26 +0300)]
Merge branch 'sysctl-fixes'

Refers to #159, #160.

2 months agosysctl parsing: change parsing errors to warnings and improve the messages sysctl-fixes 160/head
Alexander Popov [Wed, 4 Sep 2024 13:38:06 +0000 (16:38 +0300)]
sysctl parsing: change parsing errors to warnings and improve the messages

2 months agosysctl parsing: Allow comments (they usually exist in sysctl.conf)
Alexander Popov [Wed, 4 Sep 2024 13:21:31 +0000 (16:21 +0300)]
sysctl parsing: Allow comments (they usually exist in sysctl.conf)

2 months agosysctl parsing: Allow missing space before '='
Alexander Popov [Wed, 4 Sep 2024 13:20:15 +0000 (16:20 +0300)]
sysctl parsing: Allow missing space before '='

2 months agoDrop the UNWIND_PATCH_PAC_INTO_SCS recommendation for now
Alexander Popov [Wed, 4 Sep 2024 12:28:05 +0000 (15:28 +0300)]
Drop the UNWIND_PATCH_PAC_INTO_SCS recommendation for now

Currently, there is no consensus about this feature:
https://github.com/KSPP/kspp.github.io/issues/2

Refers to #105

2 months agoReady for the release 0.6.10 v0.6.10
Alexander Popov [Sun, 1 Sep 2024 19:38:21 +0000 (22:38 +0300)]
Ready for the release 0.6.10

2 months agoUpdate issues.md
Alexander Popov [Sun, 1 Sep 2024 19:33:30 +0000 (22:33 +0300)]
Update issues.md

2 months agoUpdate the README
Alexander Popov [Sun, 1 Sep 2024 19:14:27 +0000 (22:14 +0300)]
Update the README

2 months agoFix style (quotation marks)
Alexander Popov [Sun, 1 Sep 2024 18:56:46 +0000 (21:56 +0300)]
Fix style (quotation marks)

2 months agoUpdate the NixOS kernel configs
Alexander Popov [Sun, 1 Sep 2024 18:37:20 +0000 (21:37 +0300)]
Update the NixOS kernel configs

2 months agoDon't normalize the `cfi` cmdline parameter
Alexander Popov [Sun, 1 Sep 2024 21:36:18 +0000 (00:36 +0300)]
Don't normalize the `cfi` cmdline parameter

2 months agoSplit the cut_attack_surface checks that contain the renamed options
Alexander Popov [Sun, 1 Sep 2024 17:24:02 +0000 (20:24 +0300)]
Split the cut_attack_surface checks that contain the renamed options

2 months agoUpdate the BCACHE_CLOSURES_DEBUG check
Alexander Popov [Sun, 1 Sep 2024 16:19:42 +0000 (19:19 +0300)]
Update the BCACHE_CLOSURES_DEBUG check

It has been renamed to DEBUG_CLOSURES.

2 months agoFix `if arch` for the 'mitigations' cmdline check
Alexander Popov [Sun, 1 Sep 2024 15:17:22 +0000 (18:17 +0300)]
Fix `if arch` for the 'mitigations' cmdline check

2 months agoRemove `if arch` for the CPU_MITIGATIONS check
Alexander Popov [Sun, 1 Sep 2024 14:55:05 +0000 (17:55 +0300)]
Remove `if arch` for the CPU_MITIGATIONS check

It exists on all the platforms now.

2 months agoRemove `if arch` for the X86_VSYSCALL_EMULATION check
Alexander Popov [Sun, 1 Sep 2024 14:52:00 +0000 (17:52 +0300)]
Remove `if arch` for the X86_VSYSCALL_EMULATION check

It requires 'is not set' anyway.

2 months agoAdd the ARM_SMMU* kconfig checks for ARM
Alexander Popov [Sun, 1 Sep 2024 12:52:15 +0000 (15:52 +0300)]
Add the ARM_SMMU* kconfig checks for ARM

2 months agoUpdate the DEBUG_WX check for ARM64 and ARM
Alexander Popov [Sun, 1 Sep 2024 21:33:21 +0000 (00:33 +0300)]
Update the DEBUG_WX check for ARM64 and ARM

It was renamed for ARM in the commit a90f0a02f139a13d3c26dd20644b50fc731f17da.

2 months agoAdd `if arch` for PAGE_TABLE_CHECK*
Alexander Popov [Sun, 1 Sep 2024 11:37:09 +0000 (14:37 +0300)]
Add `if arch` for PAGE_TABLE_CHECK*

2 months agoUpdate the AMD_IOMMU_V2 kconfig check
Alexander Popov [Sun, 1 Sep 2024 11:02:26 +0000 (14:02 +0300)]
Update the AMD_IOMMU_V2 kconfig check

AMD_IOMMU_V2 was dropped in v6.7 in the commit
5a0b11a180a9b82b4437a4be1cf73530053f139b

2 months agoUpdate the UBSAN_SANITIZE_ALL kconfig check
Alexander Popov [Sun, 1 Sep 2024 10:40:16 +0000 (13:40 +0300)]
Update the UBSAN_SANITIZE_ALL kconfig check

It was enabled by default in UBSAN and removed in the commit
918327e9b7ffb45321cbb4b9b86b58ec555fe6b3 in Linux v6.9.

2 months agoMerge branch 'from-willenst-1'
Alexander Popov [Thu, 29 Aug 2024 06:25:26 +0000 (09:25 +0300)]
Merge branch 'from-willenst-1'

Refers to #152

2 months agounittest: test VersionCheck.table_print() to hit the coverage
Alexander Popov [Wed, 28 Aug 2024 18:20:01 +0000 (21:20 +0300)]
unittest: test VersionCheck.table_print() to hit the coverage

Refers to #145, #155

2 months agoMerge branch 'from-willenst-2'
Alexander Popov [Wed, 28 Aug 2024 18:01:12 +0000 (21:01 +0300)]
Merge branch 'from-willenst-2'

Refers to #145, #155

2 months agoremove engine debug output 155/head
Willenst [Tue, 27 Aug 2024 11:32:03 +0000 (13:32 +0200)]
remove engine debug output

remove unused libs

Remove engine debug output

2 months agoAdd test for `colorize_result`
Willenst [Thu, 22 Aug 2024 18:56:41 +0000 (20:56 +0200)]
Add test for `colorize_result`

2 months agoAdd test for `print_unknown_options`
Willenst [Thu, 22 Aug 2024 18:28:07 +0000 (20:28 +0200)]
Add test for `print_unknown_options`

2 months agoAdd io_uring_disabled sysctl check 152/head
Willenst [Mon, 26 Aug 2024 08:40:01 +0000 (10:40 +0200)]
Add io_uring_disabled sysctl check

3 months agoMerge branch 'from-jvoisin'
Alexander Popov [Mon, 19 Aug 2024 15:13:27 +0000 (18:13 +0300)]
Merge branch 'from-jvoisin'

Refers to #138

3 months agoAdd the `TEST_DEBUG_VIRTUAL` kconfig check 138/head
Alexander Popov [Mon, 19 Aug 2024 14:34:02 +0000 (17:34 +0300)]
Add the `TEST_DEBUG_VIRTUAL` kconfig check

3 months agoChange the `reason` for the `IP_SCTP` and `KGDB` kconfig checks
Alexander Popov [Mon, 19 Aug 2024 14:32:41 +0000 (17:32 +0300)]
Change the `reason` for the `IP_SCTP` and `KGDB` kconfig checks

3 months agoRemove the `PAGE_OWNER` kconfig check
Alexander Popov [Mon, 19 Aug 2024 14:30:31 +0000 (17:30 +0300)]
Remove the `PAGE_OWNER` kconfig check

It is not relevant any more.

3 months agoDisabling VCAP_KUNIT_TEST and BUILD_SALT doesn't look security relevant
Alexander Popov [Mon, 19 Aug 2024 14:27:06 +0000 (17:27 +0300)]
Disabling VCAP_KUNIT_TEST and BUILD_SALT doesn't look security relevant

3 months agoFix the check order, no functional changes
Alexander Popov [Mon, 19 Aug 2024 14:24:07 +0000 (17:24 +0300)]
Fix the check order, no functional changes

3 months agoIntroduce the ARM_PTDUMP_DEBUGFS check
Alexander Popov [Mon, 19 Aug 2024 14:22:00 +0000 (17:22 +0300)]
Introduce the ARM_PTDUMP_DEBUGFS check

`X86_PTDUMP` is the old name of `PTDUMP_DEBUGFS`,
see the upstream kernel commit 2ae27137b2db89365f623a7694786cf6d1acb6c7.

`ARM_PTDUMP` is the old name of `ARM_PTDUMP_DEBUGFS`,
see the upstream kernel commit 4fb69cc4566f175839615cc4ef8828ae4d5341d9.

3 months agoMerge branch 'master' into from-jvoisin
Alexander Popov [Mon, 19 Aug 2024 10:27:46 +0000 (13:27 +0300)]
Merge branch 'master' into from-jvoisin

3 months agoMerge remote-tracking branch 'citypw/patch-1'
Alexander Popov [Sun, 18 Aug 2024 14:34:55 +0000 (17:34 +0300)]
Merge remote-tracking branch 'citypw/patch-1'

Thanks, @citypw

3 months agoAdd ARM SMMU check options 150/head
Shawn C [Tue, 6 Aug 2024 16:05:45 +0000 (16:05 +0000)]
Add ARM SMMU check options

Threat model:
https://github.com/hardenedlinux/grsecurity-101-tutorials/blob/master/embedded_platform_security.md

3 months agoAdd missing UBSAN_SIGNED_WRAP mentioned in kernel/configs/hardening.config
Alexander Popov [Sun, 11 Aug 2024 15:05:25 +0000 (18:05 +0300)]
Add missing UBSAN_SIGNED_WRAP mentioned in kernel/configs/hardening.config

3 months agoImprove the CONFIG_GCC_PLUGIN_STRUCTLEAK check
Alexander Popov [Sun, 11 Aug 2024 14:36:49 +0000 (17:36 +0300)]
Improve the CONFIG_GCC_PLUGIN_STRUCTLEAK check

3 months agoUpdate the KSPP recommendations (II)
Alexander Popov [Sun, 11 Aug 2024 13:56:58 +0000 (16:56 +0300)]
Update the KSPP recommendations (II)

3 months agoUpdate the KSPP recommendations
Alexander Popov [Sun, 11 Aug 2024 13:49:57 +0000 (16:49 +0300)]
Update the KSPP recommendations

3 months agoAdd the comments about `vm.mmap_rnd_bits` and `vm.mmap_rnd_compat_bits` sysctls
Alexander Popov [Sun, 11 Aug 2024 11:14:15 +0000 (14:14 +0300)]
Add the comments about `vm.mmap_rnd_bits` and `vm.mmap_rnd_compat_bits` sysctls

Refers to #146

3 months agoMark the sysrq checks as GrapheneOS recommendations
Alexander Popov [Sun, 11 Aug 2024 09:39:51 +0000 (12:39 +0300)]
Mark the sysrq checks as GrapheneOS recommendations

And update the README by the way.

See #104

3 months agoReorder some checks
Alexander Popov [Sun, 11 Aug 2024 09:27:12 +0000 (12:27 +0300)]
Reorder some checks

3 months agoImprove the reflections on CONFIG_PANIC_ON_OOPS
Alexander Popov [Sat, 10 Aug 2024 14:23:23 +0000 (17:23 +0300)]
Improve the reflections on CONFIG_PANIC_ON_OOPS

3 months agoAdd the LKDTM check
Alexander Popov [Sat, 10 Aug 2024 11:05:34 +0000 (14:05 +0300)]
Add the LKDTM check

Thanks to @izh1979 for the idea.

3 months agoAdd defconfigs for Linux v6.10
Alexander Popov [Sun, 28 Jul 2024 21:40:48 +0000 (00:40 +0300)]
Add defconfigs for Linux v6.10

And remove the unneeded one for Linux v6.6 by the way.

3 months agoMerge branch 'simp_detect_arch'
Alexander Popov [Sun, 28 Jul 2024 17:46:50 +0000 (20:46 +0300)]
Merge branch 'simp_detect_arch'

Looks good to me. Thanks, @jvoisin.

4 months agoSimplify a bit the detect_arch function 148/head
jvoisin [Tue, 16 Jul 2024 23:38:32 +0000 (01:38 +0200)]
Simplify a bit the detect_arch function

- Use a regex to extract the arch instead of doing the extraction "by hand".
- Reduce nested indentation.
- Reduce the amount of code in the loop.
- Remove a forceful `re.compile`: python will cache regex in a compiled form if
  necessary.

4 months agoAdd the FAULT_INJECTION check
Alexander Popov [Sun, 7 Jul 2024 15:39:22 +0000 (18:39 +0300)]
Add the FAULT_INJECTION check

Thanks to @izh1979 for the idea.

4 months agoAdd the CONFIG_N_GSM check
Alexander Popov [Sun, 7 Jul 2024 13:49:47 +0000 (16:49 +0300)]
Add the CONFIG_N_GSM check

See https://www.openwall.com/lists/oss-security/2024/04/17/1.

Refers to #122.

4 months agoAdd the CRASH_DUMP check
Alexander Popov [Sun, 7 Jul 2024 12:49:10 +0000 (15:49 +0300)]
Add the CRASH_DUMP check

Refers to #84.

4 months agoUpdate the `kfence.sample_interval` check
Alexander Popov [Sun, 7 Jul 2024 12:19:03 +0000 (15:19 +0300)]
Update the `kfence.sample_interval` check

4 months agoAllow the empty values for Kconfig options
Alexander Popov [Sat, 6 Jul 2024 20:55:09 +0000 (23:55 +0300)]
Allow the empty values for Kconfig options

This prevents breaking on handling the strange Broadcom configs.

Refers to #143.

4 months agoAdd the missing SPDX info
Alexander Popov [Sat, 6 Jul 2024 13:02:08 +0000 (16:02 +0300)]
Add the missing SPDX info

4 months agoImprove the README
Alexander Popov [Sat, 6 Jul 2024 08:51:36 +0000 (11:51 +0300)]
Improve the README

4 months agoSpecify the `GPL-3.0-only` license explicitly
Alexander Popov [Sat, 6 Jul 2024 08:40:19 +0000 (11:40 +0300)]
Specify the `GPL-3.0-only` license explicitly

4 months agoUpdate the `decision` for the SLAB_MERGE_DEFAULT check
Alexander Popov [Wed, 3 Jul 2024 13:41:22 +0000 (16:41 +0300)]
Update the `decision` for the SLAB_MERGE_DEFAULT check

4 months agoUpdate the KFENCE_SAMPLE_INTERVAL check
Alexander Popov [Wed, 3 Jul 2024 13:38:13 +0000 (16:38 +0300)]
Update the KFENCE_SAMPLE_INTERVAL check

4 months agoMerge branch 'master' into grsecurity
Julien Voisin [Fri, 28 Jun 2024 13:30:04 +0000 (13:30 +0000)]
Merge branch 'master' into grsecurity

5 months agoComment out the RANDSTRUCT_PERFORMANCE check
Alexander Popov [Wed, 19 Jun 2024 18:44:08 +0000 (21:44 +0300)]
Comment out the RANDSTRUCT_PERFORMANCE check

5 months agoUpdate the KSPP recommendations (https://github.com/KSPP/linux/issues/362)
Alexander Popov [Wed, 19 Jun 2024 18:12:05 +0000 (21:12 +0300)]
Update the KSPP recommendations (https://github.com/KSPP/linux/issues/362)

Thanks to @kees!

5 months agoUpdate the 'kernel.modules_disabled' check
Alexander Popov [Sun, 16 Jun 2024 05:48:52 +0000 (08:48 +0300)]
Update the 'kernel.modules_disabled' check

5 months agoAdd the 'kernel.oops_limit' and 'kernel.warn_limit' checks
Alexander Popov [Sun, 16 Jun 2024 05:48:14 +0000 (08:48 +0300)]
Add the 'kernel.oops_limit' and 'kernel.warn_limit' checks

5 months agoAdd the "cfi" check
Alexander Popov [Sun, 16 Jun 2024 05:23:40 +0000 (08:23 +0300)]
Add the "cfi" check

5 months agoAdd the "MAGIC_SYSRQ_SERIAL" check
Alexander Popov [Sun, 16 Jun 2024 04:24:56 +0000 (07:24 +0300)]
Add the "MAGIC_SYSRQ_SERIAL" check

Thanks to @thestinger.

Refers to #104.

5 months agoAdd the "kernel.sysrq" check
Alexander Popov [Sun, 16 Jun 2024 04:03:29 +0000 (07:03 +0300)]
Add the "kernel.sysrq" check

Thanks to @thestinger.

Refers to #104.

5 months agoAdd the MAGIC_SYSRQ_DEFAULT_ENABLE check
Alexander Popov [Sat, 15 Jun 2024 21:56:25 +0000 (00:56 +0300)]
Add the MAGIC_SYSRQ_DEFAULT_ENABLE check

Thanks to @thestinger.

Refers to #104.

5 months agoSync with KSPP: update the `decision` for some checks
Alexander Popov [Sat, 15 Jun 2024 20:16:35 +0000 (23:16 +0300)]
Sync with KSPP: update the `decision` for some checks

Thanks to @kees for the collaboration.

5 months agoAdd CONFIG_CC_IS_CLANG and CONFIG_CC_IS_GCC to the KSPP recommendations
Alexander Popov [Sat, 15 Jun 2024 19:20:51 +0000 (22:20 +0300)]
Add CONFIG_CC_IS_CLANG and CONFIG_CC_IS_GCC to the KSPP recommendations

It makes the tool show less FAILs.

5 months agoruff: Fix EXE001 "Shebang is present but file is not executable"
Alexander Popov [Sat, 15 Jun 2024 10:21:23 +0000 (13:21 +0300)]
ruff: Fix EXE001 "Shebang is present but file is not executable"

5 months agoAdd the comment about 'if arch' for the 'cut_attack_surface' checks
Alexander Popov [Mon, 10 Jun 2024 14:10:47 +0000 (17:10 +0300)]
Add the comment about 'if arch' for the 'cut_attack_surface' checks

Refers to #135.

5 months agoUpdate the KSPP recommendations
Alexander Popov [Mon, 10 Jun 2024 13:44:21 +0000 (16:44 +0300)]
Update the KSPP recommendations

Thanks to Kees for working together!

5 months agoCode refactoring to improve test coverage (II)
Alexander Popov [Mon, 10 Jun 2024 13:13:28 +0000 (16:13 +0300)]
Code refactoring to improve test coverage (II)

Test the `-v` argument.