From cf03f175c0ddfd45f8967b217791bb945dcac910 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 9 Mar 2024 21:16:30 +0300 Subject: [PATCH] Use 3 numbers in the VersionCheck constructor Refers to #88, #89, #97 --- kernel_hardening_checker/checks.py | 12 ++++++------ kernel_hardening_checker/engine.py | 2 +- kernel_hardening_checker/test_engine.py | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index b5ed925..0290b0b 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -52,7 +52,7 @@ def add_kconfig_checks(l, arch): KconfigCheck('self_protection', 'defconfig', 'DEBUG_SET_MODULE_RONX', 'y'), modules_not_set)] # DEBUG_SET_MODULE_RONX was before v4.11 l += [OR(KconfigCheck('self_protection', 'defconfig', 'REFCOUNT_FULL', 'y'), - VersionCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5 + VersionCheck((5, 5, 0)))] # REFCOUNT_FULL is enabled by default since v5.5 l += [OR(KconfigCheck('self_protection', 'defconfig', 'INIT_STACK_ALL_ZERO', 'y'), KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] if arch in ('X86_64', 'ARM64', 'X86_32'): @@ -73,12 +73,12 @@ def add_kconfig_checks(l, arch): l += [microcode_is_set] # is needed for mitigating CPU bugs l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_INTEL', 'y'), AND(microcode_is_set, - VersionCheck((6, 6))))] # MICROCODE_INTEL was included in MICROCODE since v6.6 + VersionCheck((6, 6, 0))))] # MICROCODE_INTEL was included in MICROCODE since v6.6 l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_AMD', 'y'), AND(microcode_is_set, - VersionCheck((6, 6))))] # MICROCODE_AMD was included in MICROCODE since v6.6 + VersionCheck((6, 6, 0))))] # MICROCODE_AMD was included in MICROCODE since v6.6 l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'), - VersionCheck((5, 19)))] # X86_SMAP is enabled by default since v5.19 + VersionCheck((5, 19, 0)))] # X86_SMAP is enabled by default since v5.19 l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'), KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))] if arch in ('ARM64', 'ARM'): @@ -108,9 +108,9 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MODULE_REGION_FULL', 'y')] l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), AND(KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), - VersionCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 + VersionCheck((5, 9, 0))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'), - VersionCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 + VersionCheck((5, 10, 0)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 if arch == 'ARM': l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] diff --git a/kernel_hardening_checker/engine.py b/kernel_hardening_checker/engine.py index 52ae761..f52c446 100644 --- a/kernel_hardening_checker/engine.py +++ b/kernel_hardening_checker/engine.py @@ -129,7 +129,7 @@ class SysctlCheck(OptCheck): class VersionCheck: def __init__(self, ver_expected): - assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 2), \ + assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 3), \ f'invalid version "{ver_expected}" for VersionCheck' self.ver_expected = ver_expected self.ver = () diff --git a/kernel_hardening_checker/test_engine.py b/kernel_hardening_checker/test_engine.py index 44dbd45..4c0a7da 100644 --- a/kernel_hardening_checker/test_engine.py +++ b/kernel_hardening_checker/test_engine.py @@ -370,13 +370,13 @@ class TestEngine(unittest.TestCase): # 1. prepare the checklist config_checklist = [] config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'), - VersionCheck((41, 101)))] + VersionCheck((41, 101, 0)))] config_checklist += [AND(KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2'), - VersionCheck((44, 1)))] + VersionCheck((44, 1, 0)))] config_checklist += [AND(KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3'), - VersionCheck((42, 44)))] + VersionCheck((42, 44, 0)))] config_checklist += [OR(KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'expected_4'), - VersionCheck((42, 43)))] + VersionCheck((42, 43, 0)))] # 2. prepare the parsed kconfig options parsed_kconfig_options = OrderedDict() @@ -384,7 +384,7 @@ class TestEngine(unittest.TestCase): parsed_kconfig_options['CONFIG_NAME_3'] = 'expected_3' # 3. prepare the kernel version - kernel_version = (42, 43) + kernel_version = (42, 43, 0) # 4. run the engine self.run_engine(config_checklist, parsed_kconfig_options, None, None, kernel_version) -- 2.31.1