From 0ace19012b626203d14332090cdcd40ed2237100 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Thu, 5 Mar 2020 13:32:43 +0300
Subject: [PATCH] Add kernel version detection

---
 kconfig-hardened-check.py | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 0975ba0..4762219 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -156,7 +156,6 @@ def detect_arch(fname):
     with open(fname, 'r') as f:
         arch_pattern = re.compile("CONFIG_[a-zA-Z0-9_]*=y")
         arch = None
-        msg = None
         if not json_mode:
             print('[+] Trying to detect architecture in "{}"...'.format(fname))
         for line in f.readlines():
@@ -173,6 +172,27 @@ def detect_arch(fname):
             return arch, 'OK'
 
 
+def detect_version(fname):
+    with open(fname, 'r') as f:
+        ver_pattern = re.compile("# Linux/.* Kernel Configuration")
+        if not json_mode:
+            print('[+] Trying to detect kernel version in "{}"...'.format(fname))
+        for line in f.readlines():
+            if ver_pattern.match(line):
+                line = line.strip()
+                if not json_mode:
+                    print('[+] Found version line: "{}"'.format(line))
+                parts = line.split()
+                ver_str = parts[2]
+                ver_numbers = ver_str.split('.')
+                if len(ver_numbers) < 3 or not ver_numbers[0].isdigit() or not ver_numbers[1].isdigit():
+                    msg = 'failed to parse the version "' + ver_str + '"'
+                    return None, msg
+                else:
+                    return (int(ver_numbers[0]), int(ver_numbers[1])), None
+        return None, 'no kernel version detected'
+
+
 def construct_checklist(checklist, arch):
     modules_not_set = OptCheck('MODULES',     'is not set', 'kspp', 'cut_attack_surface')
     devmem_not_set = OptCheck('DEVMEM',       'is not set', 'kspp', 'cut_attack_surface') # refers to LOCK_DOWN_KERNEL
@@ -494,6 +514,12 @@ if __name__ == '__main__':
         elif not json_mode:
             print('[+] Detected architecture: {}'.format(arch))
 
+        kernel_version, msg = detect_version(args.config)
+        if not kernel_version:
+            sys.exit('[!] ERROR: {}'.format(msg))
+        elif not json_mode:
+            print('[+] Detected kernel version: {}.{}'.format(kernel_version[0], kernel_version[1]))
+
         construct_checklist(config_checklist, arch)
         check_config_file(config_checklist, args.config)
         error_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), config_checklist)))
-- 
2.31.1