kconfig-hardened-check.git
7 months agoDon't require GCC_PLUGINS separately
Alexander Popov [Mon, 25 Mar 2024 07:18:25 +0000 (10:18 +0300)]
Don't require GCC_PLUGINS separately

It's auxiliary for building with gcc and it's not needed for building with
clang.

Refers to #102

7 months agoRename the 'my' check decision to 'a13xp0p0v'
Alexander Popov [Sun, 24 Mar 2024 12:52:40 +0000 (15:52 +0300)]
Rename the 'my' check decision to 'a13xp0p0v'

'my' checks look like the checks created by a user of the tool.
Let's fix that and take the responsibility :)

Refers to #50

8 months agoMake the table column names and JSON field names fit each other
Alexander Popov [Sun, 17 Mar 2024 22:38:54 +0000 (01:38 +0300)]
Make the table column names and JSON field names fit each other

Refers to #108, #115

8 months agoMerge remote-tracking branch 'krishjainx/improve-json-output'
Alexander Popov [Sun, 17 Mar 2024 22:16:51 +0000 (01:16 +0300)]
Merge remote-tracking branch 'krishjainx/improve-json-output'

Refers to #108, #115

8 months agoupdate 115/head
krishjainx [Sun, 17 Mar 2024 21:43:01 +0000 (17:43 -0400)]
update

8 months agofix issues
krishjainx [Sun, 17 Mar 2024 07:20:27 +0000 (03:20 -0400)]
fix issues

8 months agoFix tests to work with new JSON schema
krishjainx [Thu, 14 Mar 2024 10:21:54 +0000 (06:21 -0400)]
Fix tests to work with new JSON schema

8 months agoImprove JSON output format for enhanced processing
krishjainx [Thu, 14 Mar 2024 09:53:19 +0000 (05:53 -0400)]
Improve JSON output format for enhanced processing

8 months agoImprove the DEBUG_CREDENTIALS check
Alexander Popov [Mon, 11 Mar 2024 11:00:25 +0000 (14:00 +0300)]
Improve the DEBUG_CREDENTIALS check

Useful DEBUG_CREDENTIALS was dropped in v6.6.8

Refers to #97

8 months agoFix the false result of the REFCOUNT_FULL check for kernels > v5.4.208
Alexander Popov [Sun, 10 Mar 2024 00:00:24 +0000 (03:00 +0300)]
Fix the false result of the REFCOUNT_FULL check for kernels > v5.4.208

Refers to #88, #89

8 months agoHave to revert codecov back to v3
Alexander Popov [Sat, 9 Mar 2024 23:12:35 +0000 (02:12 +0300)]
Have to revert codecov back to v3

Details about the error:
https://github.com/codecov/codecov-action/issues/1292

8 months agoUpdate codecov-action
Alexander Popov [Sat, 9 Mar 2024 22:29:52 +0000 (01:29 +0300)]
Update codecov-action

This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```

8 months agoAdapt test_version() in the unittest
Alexander Popov [Sat, 9 Mar 2024 22:22:46 +0000 (01:22 +0300)]
Adapt test_version() in the unittest

Refers to #88, #89, #97

8 months agoCheck all 3 numbers of the kernel version in VersionCheck
Alexander Popov [Sat, 9 Mar 2024 20:46:51 +0000 (23:46 +0300)]
Check all 3 numbers of the kernel version in VersionCheck

Refers to #88, #89, #97

8 months agoFix the fresh set_state() bug found by unittest
Alexander Popov [Sat, 9 Mar 2024 21:41:49 +0000 (00:41 +0300)]
Fix the fresh set_state() bug found by unittest

This function should write 'self.state' anyway.

Refers to #88, #89, #97

8 months agoMake `python -m unittest` show the whole output
Alexander Popov [Sat, 9 Mar 2024 21:38:25 +0000 (00:38 +0300)]
Make `python -m unittest` show the whole output

8 months agoUpdate github actions
Alexander Popov [Sat, 9 Mar 2024 21:26:12 +0000 (00:26 +0300)]
Update github actions

This fixes the error:
```
Node.js 16 actions are deprecated.
Please update the following actions to use Node.js 20.
```

8 months agoImplement the set_state() method of the check classes
Alexander Popov [Sat, 9 Mar 2024 18:53:47 +0000 (21:53 +0300)]
Implement the set_state() method of the check classes

Refers to #88, #89, #97

8 months agoUse 3 numbers in the VersionCheck constructor
Alexander Popov [Sat, 9 Mar 2024 18:16:30 +0000 (21:16 +0300)]
Use 3 numbers in the VersionCheck constructor

Refers to #88, #89, #97

8 months agoParse all numbers of the kernel version
Alexander Popov [Sat, 9 Mar 2024 17:27:08 +0000 (20:27 +0300)]
Parse all numbers of the kernel version

Refers to #88, #89, #97

8 months agoSkip the kernel version part after '-'
Alexander Popov [Sat, 9 Mar 2024 17:24:07 +0000 (20:24 +0300)]
Skip the kernel version part after '-'

Example:
# Linux/x86_64 6.7.4-200.fc39.x86_64 Kernel Configuration

Refers to #88, #89, #97

8 months agoAdd the ia32_emulation check
Alexander Popov [Mon, 4 Mar 2024 20:00:49 +0000 (23:00 +0300)]
Add the ia32_emulation check

Refers to #87 #112

9 months agoAdd MODULE_SIG_SHA3_512 as a valid option
Alexander Popov [Mon, 19 Feb 2024 12:25:09 +0000 (15:25 +0300)]
Add MODULE_SIG_SHA3_512 as a valid option

Refers to #107

9 months agoMake LOCKDOWN_LSM 'self_protection', not 'security_policy'
Alexander Popov [Sat, 17 Feb 2024 20:33:33 +0000 (23:33 +0300)]
Make LOCKDOWN_LSM 'self_protection', not 'security_policy'

10 months agoReady for the release 0.6.6 v0.6.6
Alexander Popov [Tue, 16 Jan 2024 22:55:02 +0000 (01:55 +0300)]
Ready for the release 0.6.6

10 months agoUpdate issues.md
Alexander Popov [Tue, 16 Jan 2024 22:54:40 +0000 (01:54 +0300)]
Update issues.md

10 months agoUpdate the README
Alexander Popov [Tue, 16 Jan 2024 22:30:43 +0000 (01:30 +0300)]
Update the README

10 months agoUpdate the Ubuntu example configs
Alexander Popov [Tue, 16 Jan 2024 22:20:39 +0000 (01:20 +0300)]
Update the Ubuntu example configs

10 months agoDon't print the warning about ARCH_MMAP_RND_BITS in the json mode
Alexander Popov [Tue, 16 Jan 2024 21:42:56 +0000 (00:42 +0300)]
Don't print the warning about ARCH_MMAP_RND_BITS in the json mode

10 months agoImprove the check of DEBUG_NOTIFIERS feature (part 2)
Alexander Popov [Tue, 16 Jan 2024 20:53:14 +0000 (23:53 +0300)]
Improve the check of DEBUG_NOTIFIERS feature (part 2)

CFI_PERMISSIVE should be disabled. Reacting with a kernel warning
is not enough.

Thanks to @thestinger for the idea.

Refers to #99.

10 months agoImprove the check of DEBUG_NOTIFIERS feature
Alexander Popov [Tue, 16 Jan 2024 20:31:11 +0000 (23:31 +0300)]
Improve the check of DEBUG_NOTIFIERS feature

This is what DEBUG_NOTIFIERS performs (see kernel/notifier.c):

```
#ifdef CONFIG_DEBUG_NOTIFIERS
if (unlikely(!func_ptr_is_kernel_text(nb->notifier_call))) {
WARN(1, "Invalid notifier called!");
nb = next_nb;
continue;
}
#endif
```

CFI can do the same better.

Thanks to @thestinger for the idea.

Refers to #99.

10 months agoImprove the check of SCHED_STACK_END_CHECK.
Alexander Popov [Tue, 16 Jan 2024 19:57:47 +0000 (22:57 +0300)]
Improve the check of SCHED_STACK_END_CHECK.

SCHED_STACK_END_CHECK checks the magic value at the end
of the kernel thread stack, and VMAP_STACK adds guard pages near it.
So they do a bit different things, but VMAP_STACK is more reliable.

Thanks to @thestinger for the idea.

Refers to #98.

10 months agoFix style (III)
Alexander Popov [Tue, 16 Jan 2024 17:33:58 +0000 (20:33 +0300)]
Fix style (III)

Use f-strings.

10 months agoFix style (II)
Alexander Popov [Tue, 16 Jan 2024 17:21:57 +0000 (20:21 +0300)]
Fix style (II)

10 months agoFix style (I)
Alexander Popov [Tue, 16 Jan 2024 17:20:41 +0000 (20:20 +0300)]
Fix style (I)

10 months agoDisable pylint too-many-locals, it's not useful for add_kconfig_checks()
Alexander Popov [Tue, 16 Jan 2024 08:30:39 +0000 (11:30 +0300)]
Disable pylint too-many-locals, it's not useful for add_kconfig_checks()

10 months agoFix pylint W0613: Unused argument 'arch'
Alexander Popov [Tue, 16 Jan 2024 08:26:27 +0000 (11:26 +0300)]
Fix pylint W0613: Unused argument 'arch'

10 months agoFix pylint E1101: Instance of 'OptCheck' has no 'type' member
Alexander Popov [Tue, 16 Jan 2024 04:24:32 +0000 (07:24 +0300)]
Fix pylint E1101: Instance of 'OptCheck' has no 'type' member

10 months agoFix pylint W0613: Unused argument 'mode'
Alexander Popov [Tue, 16 Jan 2024 04:18:40 +0000 (07:18 +0300)]
Fix pylint W0613: Unused argument 'mode'

10 months agoUpdate the NixOS configs
Alexander Popov [Mon, 15 Jan 2024 05:35:28 +0000 (08:35 +0300)]
Update the NixOS configs

10 months agoDon't add options without explicitly recommended values to Kconfig fragments
Alexander Popov [Sun, 14 Jan 2024 14:31:50 +0000 (17:31 +0300)]
Don't add options without explicitly recommended values to Kconfig fragments

That's important for the '--generate' mode.

10 months agoUBSAN_SANITIZE_ALL is now available for ARM
Alexander Popov [Sun, 14 Jan 2024 12:43:08 +0000 (15:43 +0300)]
UBSAN_SANITIZE_ALL is now available for ARM

10 months agoFix the order in the vdso32 check (part II)
Alexander Popov [Sat, 30 Dec 2023 20:44:34 +0000 (23:44 +0300)]
Fix the order in the vdso32 check (part II)

10 months agoFix the order in the vdso32 check
Alexander Popov [Sat, 30 Dec 2023 20:41:01 +0000 (23:41 +0300)]
Fix the order in the vdso32 check

10 months agoImprove the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check
Alexander Popov [Sat, 30 Dec 2023 18:30:14 +0000 (21:30 +0300)]
Improve the hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check

Don't check CONFIG_ARCH_MMAP_RND_BITS if CONFIG_ARCH_MMAP_RND_BITS_MAX
was not found.

10 months agoShow the option type in print_unknown_options()
Alexander Popov [Sat, 30 Dec 2023 18:22:00 +0000 (21:22 +0300)]
Show the option type in print_unknown_options()

That improves debugging.

10 months agoUse raw strings for regular expression
Alexander Popov [Sat, 30 Dec 2023 18:15:37 +0000 (21:15 +0300)]
Use raw strings for regular expression

10 months agoFix the 'decision' for the 'AIO' check
Alexander Popov [Sat, 30 Dec 2023 16:52:01 +0000 (19:52 +0300)]
Fix the 'decision' for the 'AIO' check

10 months agoFix the 'decision' for the 'vdso32' check
Alexander Popov [Fri, 29 Dec 2023 08:22:06 +0000 (11:22 +0300)]
Fix the 'decision' for the 'vdso32' check

10 months agoImprove the comment for the 'slab_common.usercopy_fallback' check
Alexander Popov [Fri, 29 Dec 2023 08:21:17 +0000 (11:21 +0300)]
Improve the comment for the 'slab_common.usercopy_fallback' check

10 months agoFix the arch condition for the SCHED_CORE check (III)
Alexander Popov [Thu, 28 Dec 2023 13:20:47 +0000 (16:20 +0300)]
Fix the arch condition for the SCHED_CORE check (III)

SCHED_CORE is finally available for ARM64 and ARM.

SCHED_SMT was needed for that.

10 months agoUpdate the KSPP recommendations
Alexander Popov [Thu, 28 Dec 2023 12:30:56 +0000 (15:30 +0300)]
Update the KSPP recommendations

10 months agoFix the arch for the CPU_SRSO check (it's available only for x86_64)
Alexander Popov [Thu, 28 Dec 2023 11:58:11 +0000 (14:58 +0300)]
Fix the arch for the CPU_SRSO check (it's available only for x86_64)

10 months agoSplit the HW_RANDOM_TPM check (it's enabled by default on ARM and ARM64)
Alexander Popov [Thu, 28 Dec 2023 11:41:09 +0000 (14:41 +0300)]
Split the HW_RANDOM_TPM check (it's enabled by default on ARM and ARM64)

10 months agoChange the 'decision' of the INIT_STACK_ALL_ZERO check
Alexander Popov [Thu, 28 Dec 2023 11:33:10 +0000 (14:33 +0300)]
Change the 'decision' of the INIT_STACK_ALL_ZERO check

11 months agoAdd defconfigs for Linux v6.6
Alexander Popov [Sun, 17 Dec 2023 23:51:58 +0000 (02:51 +0300)]
Add defconfigs for Linux v6.6

11 months agoAdd the RANDOM_KMALLOC_CACHES check
Alexander Popov [Sat, 16 Dec 2023 23:41:40 +0000 (02:41 +0300)]
Add the RANDOM_KMALLOC_CACHES check

Refers to #83

11 months agoAdd the SECURITY_SELINUX_DEBUG check
Alexander Popov [Sat, 16 Dec 2023 23:11:53 +0000 (02:11 +0300)]
Add the SECURITY_SELINUX_DEBUG check

11 months agoFix the 'decision' for the LEGACY_TIOCSTI check
Alexander Popov [Sat, 16 Dec 2023 22:53:50 +0000 (01:53 +0300)]
Fix the 'decision' for the LEGACY_TIOCSTI check

11 months agoAdd the CONFIG_LIST_HARDENED check
Alexander Popov [Sat, 16 Dec 2023 21:21:10 +0000 (00:21 +0300)]
Add the CONFIG_LIST_HARDENED check

11 months agoAdd the gather_data_sampling check
Alexander Popov [Sat, 9 Dec 2023 19:25:38 +0000 (22:25 +0300)]
Add the gather_data_sampling check

11 months agoAdd the CPU_SRSO check
Alexander Popov [Sat, 9 Dec 2023 19:10:32 +0000 (22:10 +0300)]
Add the CPU_SRSO check

11 months agoAdd the SPECULATION_MITIGATIONS check
Alexander Popov [Sat, 9 Dec 2023 19:06:13 +0000 (22:06 +0300)]
Add the SPECULATION_MITIGATIONS check

11 months agoAdd the spec_rstack_overflow check
Alexander Popov [Sat, 9 Dec 2023 18:57:13 +0000 (21:57 +0300)]
Add the spec_rstack_overflow check

11 months agoAdd the MODULE_FORCE_LOAD check
Alexander Popov [Sat, 9 Dec 2023 05:47:55 +0000 (08:47 +0300)]
Add the MODULE_FORCE_LOAD check

Thanks to @vobst for the idea

11 months agoUpdate the README
Alexander Popov [Sat, 2 Dec 2023 19:21:13 +0000 (22:21 +0300)]
Update the README

11 months agoAdd the check for dis_ucode_ldr
Alexander Popov [Sat, 2 Dec 2023 17:46:14 +0000 (20:46 +0300)]
Add the check for dis_ucode_ldr

Thanks to @izh1979 for the idea

11 months agoAdd the MICROCODE_INTEL and MICROCODE_AMD checks
Alexander Popov [Sat, 2 Dec 2023 17:33:56 +0000 (20:33 +0300)]
Add the MICROCODE_INTEL and MICROCODE_AMD checks

Thanks to @izh1979 for the idea

11 months agoAdd a check for the 'kfence.sample_interval' boot parameter
Alexander Popov [Sat, 2 Dec 2023 10:49:42 +0000 (13:49 +0300)]
Add a check for the 'kfence.sample_interval' boot parameter

Thanks to @izh1979 for the idea

11 months agoAdd the KFENCE_SAMPLE_INTERVAL check
Alexander Popov [Sat, 2 Dec 2023 10:04:30 +0000 (13:04 +0300)]
Add the KFENCE_SAMPLE_INTERVAL check

Thanks to @izh1979 for the idea

11 months agoKeep the recommendation to disable kernel modules
Alexander Popov [Sat, 2 Dec 2023 06:28:13 +0000 (09:28 +0300)]
Keep the recommendation to disable kernel modules

Disabling kernel modules is a radical method to cut the kernel attack
surface. It may be useful for some systems.

Quoting CLIP OS recommendation:
```
Disable module loading once systemd has loaded the ones required for the
running machine according to a profile.
```

11 months agoAdd a comment about 'kernel.modules_disabled'
Alexander Popov [Sat, 11 Nov 2023 15:13:19 +0000 (18:13 +0300)]
Add a comment about 'kernel.modules_disabled'

11 months agoadd --kernel-version option (#94)
Alexander Popov [Sat, 2 Dec 2023 06:11:44 +0000 (09:11 +0300)]
add --kernel-version option (#94)

11 months agoadd --kernel-version option 94/head
Fabrice Fontaine [Wed, 29 Nov 2023 16:37:58 +0000 (17:37 +0100)]
add --kernel-version option

--kernel-version option will extract the version in /proc/version.
This is especially useful on embedded systems where config.gz doesn't
always contain the kernel version

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
13 months agoFix the reason for the 'kernel.yama.ptrace_scope' check
Alexander Popov [Wed, 18 Oct 2023 07:30:36 +0000 (10:30 +0300)]
Fix the reason for the 'kernel.yama.ptrace_scope' check

13 months agoAdd kspp-recommendations/kspp-sysctl.txt
Alexander Popov [Tue, 17 Oct 2023 20:34:14 +0000 (23:34 +0300)]
Add kspp-recommendations/kspp-sysctl.txt

13 months agoFix the reason for the nosmt check
Alexander Popov [Tue, 17 Oct 2023 20:23:31 +0000 (23:23 +0300)]
Fix the reason for the nosmt check

Use 'cut_attack_surface'.

13 months agoUpdate kspp-cmdline-x86-64.txt
Alexander Popov [Tue, 17 Oct 2023 19:57:18 +0000 (22:57 +0300)]
Update kspp-cmdline-x86-64.txt

13 months agoAdd the 'dev.tty.legacy_tiocsti' check
Alexander Popov [Tue, 17 Oct 2023 17:19:05 +0000 (20:19 +0300)]
Add the 'dev.tty.legacy_tiocsti' check

13 months agoAdd the 'kernel.randomize_va_space' check
Alexander Popov [Tue, 17 Oct 2023 16:27:37 +0000 (19:27 +0300)]
Add the 'kernel.randomize_va_space' check

13 months agoAdd the 'fs.suid_dumpable' check
Alexander Popov [Tue, 17 Oct 2023 16:24:25 +0000 (19:24 +0300)]
Add the 'fs.suid_dumpable' check

13 months agoChange the reason of the COREDUMP check
Alexander Popov [Tue, 17 Oct 2023 16:23:00 +0000 (19:23 +0300)]
Change the reason of the COREDUMP check

13 months agoAdd the 'fs.protected_regular' check
Alexander Popov [Tue, 17 Oct 2023 16:20:08 +0000 (19:20 +0300)]
Add the 'fs.protected_regular' check

13 months agoAdd the 'fs.protected_fifos' check
Alexander Popov [Tue, 17 Oct 2023 16:19:06 +0000 (19:19 +0300)]
Add the 'fs.protected_fifos' check

13 months agoAdd the 'fs.protected_hardlinks' check
Alexander Popov [Tue, 17 Oct 2023 16:07:41 +0000 (19:07 +0300)]
Add the 'fs.protected_hardlinks' check

13 months agoAdd the 'fs.protected_symlinks' check
Alexander Popov [Tue, 17 Oct 2023 16:07:00 +0000 (19:07 +0300)]
Add the 'fs.protected_symlinks' check

13 months agoAdd the 'vm.unprivileged_userfaultfd' check
Alexander Popov [Tue, 17 Oct 2023 16:02:39 +0000 (19:02 +0300)]
Add the 'vm.unprivileged_userfaultfd' check

13 months agoAdd the 'kernel.yama.ptrace_scope' check
Alexander Popov [Tue, 17 Oct 2023 15:53:32 +0000 (18:53 +0300)]
Add the 'kernel.yama.ptrace_scope' check

13 months agoAdd the 'kernel.kptr_restrict' check
Alexander Popov [Tue, 17 Oct 2023 15:52:57 +0000 (18:52 +0300)]
Add the 'kernel.kptr_restrict' check

13 months agoImprove the slab_common.usercopy_fallback check
Alexander Popov [Tue, 17 Oct 2023 05:38:51 +0000 (08:38 +0300)]
Improve the slab_common.usercopy_fallback check

Don't require slab_common.usercopy_fallback=0,
since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16

13 months agohardened_usercopy=1 is now officially recommended by KSPP
Alexander Popov [Tue, 17 Oct 2023 05:35:00 +0000 (08:35 +0300)]
hardened_usercopy=1 is now officially recommended by KSPP

13 months agoEnabling page_alloc.shuffle is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:40:15 +0000 (23:40 +0300)]
Enabling page_alloc.shuffle is now recommended by KSPP

13 months ago'mitigations=auto,nosmt' is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)]
'mitigations=auto,nosmt' is now recommended by KSPP

13 months agoDisabling X86_VSYSCALL_EMULATION is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 05:13:29 +0000 (08:13 +0300)]
Disabling X86_VSYSCALL_EMULATION is now recommended by KSPP

13 months agoUse /usr/bin/env in shebangs (#90)
Alexander Popov [Mon, 16 Oct 2023 04:31:36 +0000 (07:31 +0300)]
Use /usr/bin/env in shebangs (#90)

Thanks, @SuperSandro2000

13 months agoUse /usr/bin/env in shebangs 90/head
Sandro Jäckel [Thu, 5 Oct 2023 22:41:00 +0000 (00:41 +0200)]
Use /usr/bin/env in shebangs

This is guaranteed to work everything including NixOS

13 months agoDrop ZERO_CALL_USED_REGS in favour of backward-edge CFI
Alexander Popov [Wed, 4 Oct 2023 18:21:21 +0000 (21:21 +0300)]
Drop ZERO_CALL_USED_REGS in favour of backward-edge CFI

This option isn't worth the performance impact.

Refers to #82.

14 months agoUpdate the README
Alexander Popov [Mon, 18 Sep 2023 20:56:21 +0000 (23:56 +0300)]
Update the README

14 months agoRefactor the assertion in colorize_result() to improve test coverage
Alexander Popov [Mon, 18 Sep 2023 05:58:44 +0000 (08:58 +0300)]
Refactor the assertion in colorize_result() to improve test coverage

14 months agoUpdate the backup in issues.md
Alexander Popov [Sun, 17 Sep 2023 22:56:10 +0000 (01:56 +0300)]
Update the backup in issues.md