From f58e98ef1d6ab91602b688565daf98633855439d Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Wed, 4 Jul 2018 12:29:39 +0300 Subject: [PATCH] More decisions on kernel options --- README.md | 7 ++++++- kconfig-hardened-check.py | 8 ++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8fdd80c..21047ee 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_DEBUG_WX | y | ubuntu18 | self_protection || OK CONFIG_RANDOMIZE_BASE | y | ubuntu18 | self_protection || OK CONFIG_RANDOMIZE_MEMORY | y | ubuntu18 | self_protection || OK + CONFIG_CC_STACKPROTECTOR | y | ubuntu18 | self_protection || OK CONFIG_CC_STACKPROTECTOR_STRONG | y | ubuntu18 | self_protection || OK CONFIG_VMAP_STACK | y | ubuntu18 | self_protection || OK CONFIG_THREAD_INFO_IN_TASK | y | ubuntu18 | self_protection || OK @@ -77,6 +78,8 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set" CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set" + CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || FAIL: not found + CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || FAIL: not found CONFIG_SECURITY | y | ubuntu18 | security_policy || OK CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || OK CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK @@ -93,6 +96,7 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y" + CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || FAIL: "y" CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y" @@ -104,9 +108,10 @@ Usage: ./kconfig-hardened-check.py [-p | -c ] CONFIG_UPROBES | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_BPF_SYSCALL | is not set | my | cut_attack_surface || FAIL: "y" + CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28" CONFIG_LKDTM | m | my | feature_test || FAIL: "is not set" -[-] config check is NOT PASSED: 40 errors +[-] config check is NOT PASSED: 44 errors ``` __Go and fix them all!__ diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index e784d07..111c1ca 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -36,6 +36,7 @@ def construct_opt_list(): opt_list.append([Opt('DEBUG_WX', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('RANDOMIZE_BASE', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('RANDOMIZE_MEMORY', 'y', 'ubuntu18', 'self_protection'), '']) + opt_list.append([Opt('CC_STACKPROTECTOR', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('CC_STACKPROTECTOR_STRONG','y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('VMAP_STACK', 'y', 'ubuntu18', 'self_protection'), '']) opt_list.append([Opt('THREAD_INFO_IN_TASK', 'y', 'ubuntu18', 'self_protection'), '']) @@ -69,10 +70,13 @@ def construct_opt_list(): opt_list.append([Opt('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection'), '']) opt_list.append([Opt('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection'), '']) opt_list.append([Opt('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'), '']) + opt_list.append([Opt('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection'), '']) opt_list.append([Opt('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'), '']) opt_list.append([Opt('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'), '']) opt_list.append([Opt('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection'), '']) # breaks systemd? + opt_list.append([Opt('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'), '']) + opt_list.append([Opt('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'), '']) opt_list.append([Opt('SECURITY', 'y', 'ubuntu18', 'security_policy'), '']) opt_list.append([Opt('SECURITY_YAMA', 'y', 'ubuntu18', 'security_policy'), '']) @@ -92,6 +96,8 @@ def construct_opt_list(): opt_list.append([Opt('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface'), '']) opt_list.append([Opt('X86_X32', 'is not set', 'kspp', 'cut_attack_surface'), '']) opt_list.append([Opt('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface'), '']) + opt_list.append([Opt('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface'), '']) + opt_list.append([Opt('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('USER_NS', 'is not set', 'my', 'cut_attack_surface'), '']) # user.max_user_namespaces=0 @@ -104,6 +110,8 @@ def construct_opt_list(): opt_list.append([Opt('BPF_JIT', 'is not set', 'my', 'cut_attack_surface'), '']) opt_list.append([Opt('BPF_SYSCALL', 'is not set', 'my', 'cut_attack_surface'), '']) + opt_list.append([Opt('ARCH_MMAP_RND_BITS', '32', 'my', 'userspace_protection'), '']) + opt_list.append([Opt('LKDTM', 'm', 'my', 'feature_test'), '']) -- 2.31.1