From 4707be6ded9016f349bab9d5dec266c4b15776a1 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 3 Jun 2019 23:00:59 +0300 Subject: [PATCH] Attribute some of my recommendations to CLIP OS - part II They have a bigger authority :) Refers to the issue #19 by @HacKurx --- README.md | 10 +++++----- kconfig-hardened-check.py | 18 +++++++++--------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index e6a01ad..60efeb7 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,9 @@ CONFIG_DEBUG_VIRTUAL | y | clipos | self_protect CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection || FAIL: "is not set" CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection || FAIL: "y" CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE| is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed +CONFIG_GCC_PLUGIN_STACKLEAK | y | clipos | self_protection || FAIL: not found +CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed +CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection || OK: not found CONFIG_MICROCODE | y | clipos | self_protection || OK CONFIG_X86_MSR | y | clipos | self_protection || FAIL: "m" @@ -104,9 +107,6 @@ CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protect CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection || FAIL: "is not set" CONFIG_AMD_IOMMU | y | my | self_protection || OK CONFIG_AMD_IOMMU_V2 | y | my | self_protection || FAIL: "m" -CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found -CONFIG_STACKLEAK_METRICS | is not set | my | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed -CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | my | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set" CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set" CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK @@ -163,14 +163,14 @@ CONFIG_KALLSYMS | is not set | clipos | cut_attack_su CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface || FAIL: "y" CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface || FAIL: "y" CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface || FAIL: "y" +CONFIG_USER_NS | is not set | clipos | cut_attack_surface || FAIL: "y" CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y" -CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m" CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y" -CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28" +CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_protection|| FAIL: "28" [+] config check is finished: 'OK' - 49 / 'FAIL' - 71 ``` diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index e10c345..75f8cfd 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -247,6 +247,13 @@ def construct_checklist(arch): checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'clipos', 'self_protection')) # slab_nomerge checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \ randstruct_is_set)) + if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32': + stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'clipos', 'self_protection') + checklist.append(stackleak_is_set) + checklist.append(AND(OptCheck('STACKLEAK_METRICS', 'is not set', 'clipos', 'self_protection'), \ + stackleak_is_set)) + checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE','is not set', 'clipos', 'self_protection'), \ + stackleak_is_set)) if debug_mode or arch == 'X86_64' or arch == 'X86_32': checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection')) checklist.append(OptCheck('MICROCODE', 'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs @@ -265,13 +272,6 @@ def construct_checklist(arch): iommu_support_is_set)) checklist.append(AND(OptCheck('AMD_IOMMU_V2', 'y', 'my', 'self_protection'), \ iommu_support_is_set)) - if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32': - stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection') - checklist.append(stackleak_is_set) - checklist.append(AND(OptCheck('STACKLEAK_METRICS', 'is not set', 'my', 'self_protection'), \ - stackleak_is_set)) - checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE','is not set', 'my', 'self_protection'), \ - stackleak_is_set)) checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection')) checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection')) # needs userspace support checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd) @@ -352,10 +352,10 @@ def construct_checklist(arch): checklist.append(OptCheck('X86_VSYSCALL_EMULATION', 'is not set', 'clipos', 'cut_attack_surface')) checklist.append(OptCheck('MAGIC_SYSRQ', 'is not set', 'clipos', 'cut_attack_surface')) checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive) + checklist.append(OptCheck('USER_NS', 'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0 checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive) checklist.append(OptCheck('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface')) - checklist.append(OptCheck('USER_NS', 'is not set', 'my', 'cut_attack_surface')) # user.max_user_namespaces=0 checklist.append(OptCheck('IP_DCCP', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('IP_SCTP', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) @@ -366,7 +366,7 @@ def construct_checklist(arch): if debug_mode or arch == 'ARM64': checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_protection')) if debug_mode or arch == 'X86_64' or arch == 'ARM64': - checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'my', 'userspace_protection')) + checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'clipos', 'userspace_protection')) if debug_mode or arch == 'X86_32' or arch == 'ARM': checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '16', 'my', 'userspace_protection')) -- 2.31.1