From 3ae203a86ebd069df6968752b2426773697b9c17 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Wed, 4 Jul 2018 21:08:21 +0300 Subject: [PATCH] Move some features to 'cut_attack_surface' category STRICT_DEVMEM and IO_STRICT_DEVMEM, SECCOMP and SECCOMP_FILTER are not self protection features. They cut attack surface. I'm also not sure about SYN_COOKIES. Mark it with a comment. --- README.md | 10 +++++----- kconfig-hardened-check.py | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 21047ee..1ad19fe 100644 --- a/README.md +++ b/README.md @@ -51,13 +51,10 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_SLAB_FREELIST_RANDOM | y | ubuntu18 | self_protection || OK CONFIG_HARDENED_USERCOPY | y | ubuntu18 | self_protection || OK CONFIG_FORTIFY_SOURCE | y | ubuntu18 | self_protection || OK - CONFIG_STRICT_DEVMEM | y | ubuntu18 | self_protection || OK - CONFIG_SYN_COOKIES | y | ubuntu18 | self_protection || OK - CONFIG_SECCOMP | y | ubuntu18 | self_protection || OK - CONFIG_SECCOMP_FILTER | y | ubuntu18 | self_protection || OK CONFIG_MODULE_SIG | y | ubuntu18 | self_protection || OK CONFIG_MODULE_SIG_ALL | y | ubuntu18 | self_protection || OK CONFIG_MODULE_SIG_SHA512 | y | ubuntu18 | self_protection || OK + CONFIG_SYN_COOKIES | y | ubuntu18 | self_protection || OK CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | ubuntu18 | self_protection || OK CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: "is not set" CONFIG_PAGE_POISONING | y | kspp | self_protection || FAIL: "is not set" @@ -66,7 +63,6 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || FAIL: not found CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || FAIL: not found - CONFIG_IO_STRICT_DEVMEM | y | kspp | self_protection || FAIL: "is not set" CONFIG_REFCOUNT_FULL | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_LIST | y | kspp | self_protection || FAIL: "is not set" CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set" @@ -83,10 +79,14 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_SECURITY | y | ubuntu18 | security_policy || OK CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || OK CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK + CONFIG_SECCOMP | y | ubuntu18 | cut_attack_surface || OK + CONFIG_SECCOMP_FILTER | y | ubuntu18 | cut_attack_surface || OK + CONFIG_STRICT_DEVMEM | y | ubuntu18 | cut_attack_surface || OK CONFIG_ACPI_CUSTOM_METHOD | is not set | ubuntu18 | cut_attack_surface || OK CONFIG_COMPAT_BRK | is not set | ubuntu18 | cut_attack_surface || OK CONFIG_DEVKMEM | is not set | ubuntu18 | cut_attack_surface || OK CONFIG_COMPAT_VDSO | is not set | ubuntu18 | cut_attack_surface || OK + CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set" CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set" CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m" CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m" diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 111c1ca..183cbe3 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -46,13 +46,10 @@ def construct_opt_list(): opt_list.append([Opt('SLAB_FREELIST_RANDOM', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('HARDENED_USERCOPY', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('FORTIFY_SOURCE', 'y', 'ubuntu18', 'self_protection'), '']) - opt_list.append([Opt('STRICT_DEVMEM', 'y', 'ubuntu18', 'self_protection'), '']) - opt_list.append([Opt('SYN_COOKIES', 'y', 'ubuntu18', 'self_protection'), '']) - opt_list.append([Opt('SECCOMP', 'y', 'ubuntu18', 'self_protection'), '']) - opt_list.append([Opt('SECCOMP_FILTER', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('MODULE_SIG', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('MODULE_SIG_ALL', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('MODULE_SIG_SHA512', 'y', 'ubuntu18', 'self_protection'), '']) + opt_list.append([Opt('SYN_COOKIES', 'y', 'ubuntu18', 'self_protection'), '']) # another reason? opt_list.append([Opt('DEFAULT_MMAP_MIN_ADDR', '65536', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('BUG_ON_DATA_CORRUPTION', 'y', 'kspp', 'self_protection'), '']) @@ -62,7 +59,6 @@ def construct_opt_list(): opt_list.append([Opt('GCC_PLUGIN_STRUCTLEAK', 'y', 'kspp', 'self_protection'), '']) opt_list.append([Opt('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection'), '']) opt_list.append([Opt('GCC_PLUGIN_LATENT_ENTROPY', 'y', 'kspp', 'self_protection'), '']) - opt_list.append([Opt('IO_STRICT_DEVMEM', 'y', 'kspp', 'self_protection'), '']) opt_list.append([Opt('REFCOUNT_FULL', 'y', 'kspp', 'self_protection'), '']) opt_list.append([Opt('DEBUG_LIST', 'y', 'kspp', 'self_protection'), '']) opt_list.append([Opt('DEBUG_SG', 'y', 'kspp', 'self_protection'), '']) @@ -82,11 +78,15 @@ def construct_opt_list(): opt_list.append([Opt('SECURITY_YAMA', 'y', 'ubuntu18', 'security_policy'), '']) opt_list.append([Opt('SECURITY_SELINUX_DISABLE', 'is not set', 'ubuntu18', 'security_policy'), '']) + opt_list.append([Opt('SECCOMP', 'y', 'ubuntu18', 'cut_attack_surface'), '']) + opt_list.append([Opt('SECCOMP_FILTER', 'y', 'ubuntu18', 'cut_attack_surface'), '']) + opt_list.append([Opt('STRICT_DEVMEM', 'y', 'ubuntu18', 'cut_attack_surface'), '']) opt_list.append([Opt('ACPI_CUSTOM_METHOD', 'is not set', 'ubuntu18', 'cut_attack_surface'), '']) opt_list.append([Opt('COMPAT_BRK', 'is not set', 'ubuntu18', 'cut_attack_surface'), '']) opt_list.append([Opt('DEVKMEM', 'is not set', 'ubuntu18', 'cut_attack_surface'), '']) opt_list.append([Opt('COMPAT_VDSO', 'is not set', 'ubuntu18', 'cut_attack_surface'), '']) + opt_list.append([Opt('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), '']) opt_list.append([Opt('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface'), '']) # 'vsyscall=none' opt_list.append([Opt('BINFMT_MISC', 'is not set', 'kspp', 'cut_attack_surface'), '']) opt_list.append([Opt('INET_DIAG', 'is not set', 'kspp', 'cut_attack_surface'), '']) -- 2.31.1