From 5c67369249f22690efe4c96c54ef6b0bd0496c13 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Fri, 10 Jan 2020 17:41:14 +0300 Subject: [PATCH] Take some ideas from NixOS/nixpkgs hardened kernel config Add CONFIG_SECURITY_SAFESETID (y) and CONFIG_SECURITY_WRITABLE_HOOKS (n). Refers to the pull request #27. --- README.md | 4 +++- kconfig-hardened-check.py | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b0074b6..c5fdfb1 100644 --- a/README.md +++ b/README.md @@ -115,11 +115,13 @@ CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_pr CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection | FAIL: CONFIG_PAGE_POISONING is needed CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" CONFIG_SECURITY | y |defconfig | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS | is not set |defconfig | security_policy | OK CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" CONFIG_SECURITY_LOCKDOWN_LSM | y | my | security_policy | FAIL: not found CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | my | security_policy | FAIL: not found CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | my | security_policy | FAIL: not found +CONFIG_SECURITY_SAFESETID | y | my | security_policy | FAIL: not found CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK @@ -178,7 +180,7 @@ CONFIG_FTRACE | is not set | my | cut_atta CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] config check is finished: 'OK' - 48 / 'FAIL' - 75 +[+] config check is finished: 'OK' - 49 / 'FAIL' - 76 ``` ## kconfig-hardened-check versioning diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index f9f412e..2448717 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -301,11 +301,13 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy')) # and choose your favourite LSM if debug_mode or arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM + checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'defconfig', 'security_policy')) checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy')) # needs userspace support checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy')) + checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface')) checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface')) -- 2.31.1