From 406370ec8a446fcbfed32633da8437fa911b0a37 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Tue, 9 Nov 2021 21:05:09 +0300 Subject: [PATCH 01/16] Simplify the check about PTDUMP_DEBUGFS (I was correct) --- kconfig_hardened_check/__init__.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index b8b8e69..18ba353 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -532,8 +532,7 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')] - l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'), - OptCheck('cut_attack_surface', 'my', 'PTDUMP_DEBUGFS', 'is not set'))] + l += [OptCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set')] # 'cut_attack_surface', 'maintainer' l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 -- 2.31.1 From 96770e5bca7df5bfcf09b8159149fafc659a87e4 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Tue, 9 Nov 2021 21:29:10 +0300 Subject: [PATCH 02/16] Keep the old X86_PTDUMP check as a backup --- kconfig_hardened_check/__init__.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 18ba353..e1f9082 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -532,7 +532,8 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set')] + l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set'), + OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))] # 'cut_attack_surface', 'maintainer' l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 -- 2.31.1 From 7cfd2088266176e7dcd7bcf4b4eae9734fff7a92 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Tue, 9 Nov 2021 21:59:43 +0300 Subject: [PATCH 03/16] Update the README (a lot of new checks appeared) --- README.md | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 09f0151..f45b1f8 100644 --- a/README.md +++ b/README.md @@ -166,9 +166,13 @@ CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_atta CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found -CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_KPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_UPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_FUNCTION_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_STACK_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_HIST_TRIGGERS | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_BLK_DEV_IO_TRACE | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | FAIL: "y" @@ -179,7 +183,23 @@ CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_atta CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK +CONFIG_FAIL_FUTEX | is not set |grsecurity| cut_attack_surface | OK: not found +CONFIG_PUNIT_ATOM_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_ACPI_CONFIGFS | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_EDAC_DEBUG | is not set |grsecurity| cut_attack_surface | OK +CONFIG_DRM_I915_DEBUG | is not set |grsecurity| cut_attack_surface | OK +CONFIG_BCACHE_CLOSURES_DEBUG | is not set |grsecurity| cut_attack_surface | OK +CONFIG_DVB_C8SECTPFE | is not set |grsecurity| cut_attack_surface | OK: not found +CONFIG_MTD_SLRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_MTD_PHRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_IO_URING | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_KCMP | is not set |grsecurity| cut_attack_surface | OK: not found +CONFIG_RSEQ | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_LATENCYTOP | is not set |grsecurity| cut_attack_surface | OK +CONFIG_KCOV | is not set |grsecurity| cut_attack_surface | OK +CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set |grsecurity| cut_attack_surface | OK +CONFIG_SUNRPC_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "y" +CONFIG_PTDUMP_DEBUGFS | is not set |grsecurity| cut_attack_surface | OK: not found CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" @@ -194,7 +214,6 @@ CONFIG_KEXEC_FILE | is not set | clipos | cut_atta CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m" CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m" -CONFIG_IO_URING | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK: not found @@ -203,6 +222,7 @@ CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_atta CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK +CONFIG_KPROBES | is not set | lockdown | cut_attack_surface | FAIL: "y" CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y" @@ -214,7 +234,7 @@ CONFIG_INPUT_EVBUG | is not set | my | cut_atta CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] Config check is finished: 'OK' - 59 / 'FAIL' - 85 +[+] Config check is finished: 'OK' - 68 / 'FAIL' - 96 ``` ## kconfig-hardened-check versioning -- 2.31.1 From d8d144c1a2b15c617732d9d84e58bd3a9ef880e1 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 21 Nov 2021 15:08:39 +0300 Subject: [PATCH 04/16] TODO: RISC-V See #56 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f45b1f8..8f2d585 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,8 @@ or exploitation techniques. - ARM64 - ARM +TODO: RISC-V + ## Installation You can install the package: -- 2.31.1 From 69b66ef3871cb400e2bdeb76783355613c0bf4fc Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 21 Nov 2021 16:09:53 +0300 Subject: [PATCH 05/16] Document the output modes specified by the `-m` parameter --- README.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8f2d585..688d3a6 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,8 @@ pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check or simply run `./bin/kconfig-hardened-check` from the cloned repository. +Some Linux distributions also provide `kconfig-hardened-check` as a package. + ## Usage ``` usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] @@ -62,7 +64,24 @@ optional arguments: choose the report mode ``` -## Output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config +## Output modes + + - no `-m` argument for the default output mode (see the example below) + - `-m verbose` for printing additional info: + - config options without a corresponding check + - internals of complex checks with AND/OR, like this: +``` +------------------------------------------------------------------------------------------- + <<< OR >>> +CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface +CONFIG_DEVMEM | is not set | kspp | cut_attack_surface +------------------------------------------------------------------------------------------- +``` + - `-m show_fail` for showing only the failed checks + - `-m show_ok` for showing only the successful checks + - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools) + +## Example output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config ``` $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config [+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config -- 2.31.1 From 3e435f082b3eb9c1959ad87fd120bb9634079d6b Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 5 Dec 2021 14:57:08 +0300 Subject: [PATCH 06/16] Add ARM64_PTR_AUTH_KERNEL extracted from ARM64_PTR_AUTH --- kconfig_hardened_check/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index e1f9082..3a55b44 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -335,7 +335,7 @@ def construct_checklist(l, arch): AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), VerCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')] + l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH_KERNEL', 'y')] l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')] l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'), VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 -- 2.31.1 From 1076c7b81ecf2356b516ed51155347f427e57520 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Fri, 24 Dec 2021 20:51:11 +0300 Subject: [PATCH 07/16] Add l1d_flush (for future reference) --- kconfig_hardened_check/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 3a55b44..ce93310 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -31,6 +31,7 @@ # l1tf=full,force # mds=full,nosmt # tsx=off +# l1d_flush=on # ARM64: # kpti=on # ssbd=force-on -- 2.31.1 From 7ed482ba8c3e8c9dd42691f779756772675a3dd8 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Fri, 21 Jan 2022 18:45:54 +0300 Subject: [PATCH 08/16] Fix TRIM_UNUSED_KSYMS check TRIM_UNUSED_KSYMS can't be enabled if MODULES are disabled. Thanks to @Churam for reporting. Refers to #58. --- kconfig_hardened_check/__init__.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index ce93310..1132d26 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -571,7 +571,8 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN # 'cut_attack_surface', 'my' - l += [OptCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y')] + l += [OR(OptCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), + modules_not_set)] l += [OptCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) l += [OptCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')] -- 2.31.1 From 5e9f4868791ced7b39c1ab14b539318eaa93b8d0 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Jan 2022 00:15:16 +0300 Subject: [PATCH 09/16] Introduce KconfigCheck class --- kconfig_hardened_check/__init__.py | 418 +++++++++++++++-------------- 1 file changed, 210 insertions(+), 208 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 1132d26..f9144f7 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -106,6 +106,8 @@ class OptCheck: return True return False + +class KconfigCheck(OptCheck): def table_print(self, _mode, with_results): print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='') if with_results: @@ -162,7 +164,7 @@ class ComplexOptCheck: self.opts = opts if not self.opts: sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__)) - if not isinstance(opts[0], OptCheck): + if not isinstance(opts[0], KconfigCheck): sys.exit('[!] ERROR: invalid {} check: {}'.format(self.__class__.__name__, opts)) self.result = None @@ -286,316 +288,316 @@ def detect_version(fname): def construct_checklist(l, arch): - # Calling the OptCheck class constructor: - # OptCheck(reason, decision, name, expected) + # Calling the KconfigCheck class constructor: + # KconfigCheck(reason, decision, name, expected) - modules_not_set = OptCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') - devmem_not_set = OptCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN + modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') + devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN # 'self_protection', 'defconfig' - l += [OptCheck('self_protection', 'defconfig', 'BUG', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')] - l += [OR(OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'), - OptCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] - l += [OR(OptCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'), - OptCheck('self_protection', 'defconfig', 'DEBUG_RODATA', 'y'))] # before v4.11 - l += [OR(OptCheck('self_protection', 'defconfig', 'STRICT_MODULE_RWX', 'y'), - OptCheck('self_protection', 'defconfig', 'DEBUG_SET_MODULE_RONX', 'y'), + l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'), + KconfigCheck('self_protection', 'defconfig', 'DEBUG_RODATA', 'y'))] # before v4.11 + l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_MODULE_RWX', 'y'), + KconfigCheck('self_protection', 'defconfig', 'DEBUG_SET_MODULE_RONX', 'y'), modules_not_set)] # DEBUG_SET_MODULE_RONX was before v4.11 - l += [OR(OptCheck('self_protection', 'defconfig', 'REFCOUNT_FULL', 'y'), + l += [OR(KconfigCheck('self_protection', 'defconfig', 'REFCOUNT_FULL', 'y'), VerCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5 - iommu_support_is_set = OptCheck('self_protection', 'defconfig', 'IOMMU_SUPPORT', 'y') + iommu_support_is_set = KconfigCheck('self_protection', 'defconfig', 'IOMMU_SUPPORT', 'y') l += [iommu_support_is_set] # is needed for mitigating DMA attacks if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'THREAD_INFO_IN_TASK', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'THREAD_INFO_IN_TASK', 'y')] if arch in ('X86_64', 'ARM64'): - l += [OptCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')] if arch in ('X86_64', 'X86_32'): - l += [OptCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs - l += [OptCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'X86_SMAP', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? - l += [OR(OptCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'), - OptCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))] + l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs + l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? + l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'), + KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))] if arch in ('ARM64', 'ARM'): - l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')] if arch == 'X86_64': - l += [OptCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] - l += [AND(OptCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'), + l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] + l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] - l += [AND(OptCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'), + l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'), iommu_support_is_set)] if arch == 'ARM64': - l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')] - l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), - AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), + l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), + AND(KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), VerCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 - l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH_KERNEL', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')] - l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'), + l += [KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH_KERNEL', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'), VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 - l += [OptCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')] if arch == 'ARM': - l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] # 'self_protection', 'kspp' - l += [OptCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')] - l += [OptCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] - l += [OptCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')] - l += [OptCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')] - l += [OptCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')] - l += [OptCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] - l += [OptCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')] - l += [OptCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')] - l += [OptCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')] - l += [OptCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')] - l += [OptCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')] - l += [OptCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] - l += [OptCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] - l += [OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')] - randstruct_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y') + l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')] + randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y') l += [randstruct_is_set] - hardened_usercopy_is_set = OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') + hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') l += [hardened_usercopy_is_set] - l += [AND(OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), + l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), hardened_usercopy_is_set)] - l += [AND(OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'), + l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'), hardened_usercopy_is_set)] - l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'), + l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'), modules_not_set)] - l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'), + l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'), modules_not_set)] - l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_SHA512', 'y'), + l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_SHA512', 'y'), modules_not_set)] - l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'), + l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'), modules_not_set)] # refers to LOCKDOWN - l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'), - OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] - l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), - OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] + l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'), + KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] + l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), + KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3. # CONFIG_PAGE_POISONING_ZERO was removed in v5.11. # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks # the 0xAA poison pattern on allocation. # That brings higher performance penalty. if arch in ('X86_64', 'ARM64', 'X86_32'): - stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') + stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [stackleak_is_set] - l += [OptCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] if arch in ('X86_64', 'X86_32'): - l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')] + l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')] if arch in ('ARM64', 'ARM'): - l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')] - l += [OptCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason? + l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')] + l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason? if arch == 'ARM64': - l += [OptCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')] if arch == 'X86_32': - l += [OptCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')] - l += [OptCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')] - l += [OptCheck('self_protection', 'kspp', 'X86_PAE', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'X86_PAE', 'y')] # 'self_protection', 'maintainer' - ubsan_bounds_is_set = OptCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking + ubsan_bounds_is_set = KconfigCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53 - l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'), + l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'), ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 - l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'), + l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'), ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 # 'self_protection', 'clipos' - l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')] - l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support - l += [OptCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')] - l += [OptCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] # slab_nomerge - l += [OptCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] - l += [OptCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] - l += [AND(OptCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), + l += [KconfigCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')] + l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support + l += [KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')] + l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] # slab_nomerge + l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] + l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] + l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), randstruct_is_set)] if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [AND(OptCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'), + l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'), stackleak_is_set)] - l += [AND(OptCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'), + l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'), stackleak_is_set)] if arch in ('X86_64', 'X86_32'): - l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'), + l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'), iommu_support_is_set)] if arch == 'X86_64': - l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'), + l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'), iommu_support_is_set)] if arch == 'X86_32': - l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'), + l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] # 'self_protection', 'my' - l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd) + l += [KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd) if arch == 'X86_64': - l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), + l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), iommu_support_is_set)] if arch == 'ARM64': - l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG - l += [OptCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')] - cfi_clang_is_set = OptCheck('self_protection', 'my', 'CFI_CLANG', 'y') + l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG + l += [KconfigCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')] + cfi_clang_is_set = KconfigCheck('self_protection', 'my', 'CFI_CLANG', 'y') l += [cfi_clang_is_set] - l += [AND(OptCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'), + l += [AND(KconfigCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'), cfi_clang_is_set)] # 'security_policy' if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [OptCheck('security_policy', 'defconfig', 'SECURITY', 'y')] # and choose your favourite LSM + l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')] # and choose your favourite LSM if arch == 'ARM': - l += [OptCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM - l += [OptCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] - l += [OR(OptCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'), - OptCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))] - l += [OptCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] - l += [OptCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] - l += [OptCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] - l += [OptCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] - loadpin_is_set = OptCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] + l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'), + KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))] + l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] + l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] + l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] + l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] + loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') l += [loadpin_is_set] # needs userspace support - l += [AND(OptCheck('security_policy', 'my', 'SECURITY_LOADPIN_ENFORCE', 'y'), + l += [AND(KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN_ENFORCE', 'y'), loadpin_is_set)] # 'cut_attack_surface', 'defconfig' - l += [OptCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')] - l += [OptCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')] + l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')] + l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')] if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [OR(OptCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'), + l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN # 'cut_attack_surface', 'kspp' - l += [OptCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'kspp', 'PROC_KCORE', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'kspp', 'LEGACY_PTYS', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'HIBERNATION', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')] - l += [OptCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'kspp', 'PROC_KCORE', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_PTYS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'HIBERNATION', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')] l += [modules_not_set] l += [devmem_not_set] - l += [OR(OptCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'), + l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN if arch == 'ARM': - l += [OR(OptCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), + l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN if arch == 'X86_64': - l += [OptCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none' + l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none' # 'cut_attack_surface', 'grsecurity' - l += [OptCheck('cut_attack_surface', 'grsecurity', 'ZSMALLOC_STAT', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'KPROBE_EVENTS', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'UPROBE_EVENTS', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'grsecurity', 'FUNCTION_TRACER', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'STACK_TRACER', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'HIST_TRIGGERS', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'BLK_DEV_IO_TRACE', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROC_PAGE_MONITOR', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'USELIB', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'CHECKPOINT_RESTORE', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'USERFAULTFD', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'HWPOISON_INJECT', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'FAIL_FUTEX', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'PUNIT_ATOM_DEBUG', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'ACPI_CONFIGFS', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'EDAC_DEBUG', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'DRM_I915_DEBUG', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'BCACHE_CLOSURES_DEBUG', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'IO_URING', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'KCMP', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'RSEQ', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'LATENCYTOP', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')] - l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set'), - OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ZSMALLOC_STAT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KPROBE_EVENTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'UPROBE_EVENTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FUNCTION_TRACER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'STACK_TRACER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HIST_TRIGGERS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BLK_DEV_IO_TRACE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_PAGE_MONITOR', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USELIB', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'CHECKPOINT_RESTORE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USERFAULTFD', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HWPOISON_INJECT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FAIL_FUTEX', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PUNIT_ATOM_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ACPI_CONFIGFS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'EDAC_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DRM_I915_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BCACHE_CLOSURES_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'IO_URING', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCMP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'RSEQ', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'LATENCYTOP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')] + l += [AND(KconfigCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set'), + KconfigCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))] # 'cut_attack_surface', 'maintainer' - l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 - l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38 - l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38 - l += [OptCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 + l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 + l += [KconfigCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38 + l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38 + l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 # 'cut_attack_surface', 'grapheneos' - l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] # 'cut_attack_surface', 'clipos' - l += [OptCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] - l += [OptCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack -# l += [OptCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) - l += [OptCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] - l += [OptCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')] - l += [OptCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] - l += [OptCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) - l += [OptCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 - l += [OptCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] - l += [OptCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] - l += [AND(OptCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), + l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack +# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) + l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) + l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 + l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] + l += [AND(KconfigCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), PresenceCheck('LDISC_AUTOLOAD'))] if arch in ('X86_64', 'X86_32'): - l += [OptCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off + l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off # 'cut_attack_surface', 'lockdown' - l += [OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN # 'cut_attack_surface', 'my' - l += [OR(OptCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), + l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] - l += [OptCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) - l += [OptCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] - l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')] - l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')] - l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN - l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] - l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger + l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) + l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger # 'userspace_hardening' if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [OptCheck('userspace_hardening', 'defconfig', 'INTEGRITY', 'y')] + l += [KconfigCheck('userspace_hardening', 'defconfig', 'INTEGRITY', 'y')] if arch == 'ARM': - l += [OptCheck('userspace_hardening', 'my', 'INTEGRITY', 'y')] + l += [KconfigCheck('userspace_hardening', 'my', 'INTEGRITY', 'y')] if arch == 'ARM64': - l += [OptCheck('userspace_hardening', 'defconfig', 'ARM64_MTE', 'y')] + l += [KconfigCheck('userspace_hardening', 'defconfig', 'ARM64_MTE', 'y')] if arch in ('ARM', 'X86_32'): - l += [OptCheck('userspace_hardening', 'defconfig', 'VMSPLIT_3G', 'y')] + l += [KconfigCheck('userspace_hardening', 'defconfig', 'VMSPLIT_3G', 'y')] if arch in ('X86_64', 'ARM64'): - l += [OptCheck('userspace_hardening', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] + l += [KconfigCheck('userspace_hardening', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] if arch in ('X86_32', 'ARM'): - l += [OptCheck('userspace_hardening', 'my', 'ARCH_MMAP_RND_BITS', '16')] + l += [KconfigCheck('userspace_hardening', 'my', 'ARCH_MMAP_RND_BITS', '16')] -# l += [OptCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging! +# l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging! def print_unknown_options(checklist, parsed_options): @@ -628,7 +630,7 @@ def print_checklist(mode, checklist, with_results): if with_results: sep_line_len += 30 print('=' * sep_line_len) - print('{:^45}|{:^13}|{:^10}|{:^20}'.format('option name', 'desired val', 'decision', 'reason'), end='') + print('{:^45}|{:^13}|{:^10}|{:^20}'.format('kconfig option name', 'desired val', 'decision', 'reason'), end='') if with_results: print('| {}'.format('check result'), end='') print() -- 2.31.1 From 33c6dcbf2563965112924607ad68aed31e490bca Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Jan 2022 01:06:56 +0300 Subject: [PATCH 10/16] Print compactly --- kconfig_hardened_check/__init__.py | 36 +++++++++++++++--------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index f9144f7..b6ff953 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -109,9 +109,9 @@ class OptCheck: class KconfigCheck(OptCheck): def table_print(self, _mode, with_results): - print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='') + print('CONFIG_{:<33}|{:^11}|{:^10}|{:^18}'.format(self.name, self.expected, self.decision, self.reason), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class VerCheck: @@ -135,9 +135,9 @@ class VerCheck: def table_print(self, _mode, with_results): ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - print('{:<91}'.format(ver_req), end='') + print('{:<82}'.format(ver_req), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class PresenceCheck: @@ -154,9 +154,9 @@ class PresenceCheck: return True def table_print(self, _mode, with_results): - print('CONFIG_{:<84}'.format(self.name + ' is present'), end='') + print('CONFIG_{:<75}'.format(self.name + ' is present'), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class ComplexOptCheck: @@ -186,9 +186,9 @@ class ComplexOptCheck: def table_print(self, mode, with_results): if mode == 'verbose': - print(' {:87}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') + print(' {:78}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') for o in self.opts: print() o.table_print(mode, with_results) @@ -196,7 +196,7 @@ class ComplexOptCheck: o = self.opts[0] o.table_print(mode, False) if with_results: - print('| {}'.format(self.result), end='') + print('| {}'.format(self.result), end='') class OR(ComplexOptCheck): @@ -583,19 +583,19 @@ def construct_checklist(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger - # 'userspace_hardening' + # 'harden_userspace' if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [KconfigCheck('userspace_hardening', 'defconfig', 'INTEGRITY', 'y')] + l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')] if arch == 'ARM': - l += [KconfigCheck('userspace_hardening', 'my', 'INTEGRITY', 'y')] + l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')] if arch == 'ARM64': - l += [KconfigCheck('userspace_hardening', 'defconfig', 'ARM64_MTE', 'y')] + l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_MTE', 'y')] if arch in ('ARM', 'X86_32'): - l += [KconfigCheck('userspace_hardening', 'defconfig', 'VMSPLIT_3G', 'y')] + l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] if arch in ('X86_64', 'ARM64'): - l += [KconfigCheck('userspace_hardening', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] + l += [KconfigCheck('harden_userspace', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] if arch in ('X86_32', 'ARM'): - l += [KconfigCheck('userspace_hardening', 'my', 'ARCH_MMAP_RND_BITS', '16')] + l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')] # l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging! @@ -630,9 +630,9 @@ def print_checklist(mode, checklist, with_results): if with_results: sep_line_len += 30 print('=' * sep_line_len) - print('{:^45}|{:^13}|{:^10}|{:^20}'.format('kconfig option name', 'desired val', 'decision', 'reason'), end='') + print('{:^40}|{:^11}|{:^10}|{:^18}'.format('kconfig option name', 'desired val', 'decision', 'reason'), end='') if with_results: - print('| {}'.format('check result'), end='') + print('| {}'.format('check result'), end='') print() print('=' * sep_line_len) -- 2.31.1 From 25f10dd06dc9141ca7fc8f6f23f645dc3a578189 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Jan 2022 01:16:31 +0300 Subject: [PATCH 11/16] Update the example output in the README --- README.md | 332 +++++++++++++++++++++++++++--------------------------- 1 file changed, 166 insertions(+), 166 deletions(-) diff --git a/README.md b/README.md index 688d3a6..bb6cb5b 100644 --- a/README.md +++ b/README.md @@ -83,177 +83,177 @@ CONFIG_DEVMEM | is not set | kspp | cut_atta ## Example output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config ``` -$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config +$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config [+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config [+] Detected architecture: X86_64 [+] Detected kernel version: 5.4 ========================================================================================================================= - option name | desired val | decision | reason | check result + kconfig option name |desired val| decision | reason | check result ========================================================================================================================= -CONFIG_BUG | y |defconfig | self_protection | OK -CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK -CONFIG_GCC_PLUGINS | y |defconfig | self_protection | FAIL: not found -CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK -CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK -CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK -CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | FAIL: "is not set" -CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK -CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK -CONFIG_VMAP_STACK | y |defconfig | self_protection | OK -CONFIG_MICROCODE | y |defconfig | self_protection | OK -CONFIG_RETPOLINE | y |defconfig | self_protection | OK -CONFIG_X86_SMAP | y |defconfig | self_protection | OK -CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK -CONFIG_X86_UMIP | y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" -CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK -CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK -CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK -CONFIG_SECURITY_DMESG_RESTRICT | y | kspp | self_protection | FAIL: "is not set" -CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_WX | y | kspp | self_protection | OK -CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK -CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK -CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK -CONFIG_DEBUG_LIST | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK -CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | FAIL: not found -CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: not found -CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK -CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | FAIL: "y" -CONFIG_HARDENED_USERCOPY_PAGESPAN | is not set | kspp | self_protection | OK -CONFIG_MODULE_SIG | y | kspp | self_protection | OK -CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK -CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK -CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | FAIL: not found -CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" -CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found -CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | FAIL: not found -CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK -CONFIG_UBSAN_BOUNDS | y |maintainer| self_protection | FAIL: not found -CONFIG_UBSAN_SANITIZE_ALL | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" -CONFIG_UBSAN_TRAP | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" -CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" -CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" -CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found -CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | FAIL: "y" -CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | FAIL: "y" -CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | FAIL: "y" -CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" -CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" -CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" -CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" -CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK -CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK -CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" -CONFIG_SECURITY | y |defconfig | security_policy | OK -CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK -CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK: not found -CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK -CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set" -CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK -CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" -CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" -CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK -CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK -CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK -CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface | OK -CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface | OK -CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface | OK -CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface | OK -CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface | FAIL: "m" -CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface | FAIL: "m" -CONFIG_KEXEC | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_X86_X32 | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_OABI_COMPAT | is not set | kspp | cut_attack_surface | OK: not found -CONFIG_MODULES | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | FAIL: "y" -CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | FAIL: "is not set" -CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | FAIL: "is not set" -CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK -CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK -CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK -CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found -CONFIG_KPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_UPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_FUNCTION_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_STACK_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_HIST_TRIGGERS | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_BLK_DEV_IO_TRACE | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_FAIL_FUTEX | is not set |grsecurity| cut_attack_surface | OK: not found -CONFIG_PUNIT_ATOM_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_ACPI_CONFIGFS | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_EDAC_DEBUG | is not set |grsecurity| cut_attack_surface | OK -CONFIG_DRM_I915_DEBUG | is not set |grsecurity| cut_attack_surface | OK -CONFIG_BCACHE_CLOSURES_DEBUG | is not set |grsecurity| cut_attack_surface | OK -CONFIG_DVB_C8SECTPFE | is not set |grsecurity| cut_attack_surface | OK: not found -CONFIG_MTD_SLRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_MTD_PHRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m" -CONFIG_IO_URING | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_KCMP | is not set |grsecurity| cut_attack_surface | OK: not found -CONFIG_RSEQ | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_LATENCYTOP | is not set |grsecurity| cut_attack_surface | OK -CONFIG_KCOV | is not set |grsecurity| cut_attack_surface | OK -CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set |grsecurity| cut_attack_surface | OK -CONFIG_SUNRPC_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "y" -CONFIG_PTDUMP_DEBUGFS | is not set |grsecurity| cut_attack_surface | OK: not found -CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK -CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" -CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" -CONFIG_BLK_DEV_FD | is not set |maintainer| cut_attack_surface | FAIL: "m" -CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" -CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_MAGIC_SYSRQ | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_KEXEC_FILE | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m" -CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m" -CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found -CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK: not found -CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | FAIL: "y" -CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK -CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" -CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" -CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK -CONFIG_KPROBES | is not set | lockdown | cut_attack_surface | FAIL: "y" -CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found -CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y" -CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y" -CONFIG_IP_DCCP | is not set | my | cut_attack_surface | FAIL: "m" -CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m" -CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y" -CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m" -CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | FAIL: "m" -CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK -CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" +CONFIG_BUG | y |defconfig | self_protection | OK +CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK +CONFIG_GCC_PLUGINS | y |defconfig | self_protection | FAIL: not found +CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK +CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK +CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK +CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | FAIL: "is not set" +CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK +CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK +CONFIG_VMAP_STACK | y |defconfig | self_protection | OK +CONFIG_MICROCODE | y |defconfig | self_protection | OK +CONFIG_RETPOLINE | y |defconfig | self_protection | OK +CONFIG_X86_SMAP | y |defconfig | self_protection | OK +CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK +CONFIG_X86_UMIP | y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" +CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK +CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK +CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK +CONFIG_SECURITY_DMESG_RESTRICT | y | kspp | self_protection | FAIL: "is not set" +CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_WX | y | kspp | self_protection | OK +CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK +CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK +CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK +CONFIG_DEBUG_LIST | y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set" +CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK +CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | FAIL: not found +CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: not found +CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK +CONFIG_HARDENED_USERCOPY_FALLBACK |is not set | kspp | self_protection | FAIL: "y" +CONFIG_HARDENED_USERCOPY_PAGESPAN |is not set | kspp | self_protection | OK +CONFIG_MODULE_SIG | y | kspp | self_protection | OK +CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK +CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK +CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | FAIL: "is not set" +CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | FAIL: not found +CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" +CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | FAIL: not found +CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK +CONFIG_UBSAN_BOUNDS | y |maintainer| self_protection | FAIL: not found +CONFIG_UBSAN_SANITIZE_ALL | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" +CONFIG_UBSAN_TRAP | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" +CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" +CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" +CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found +CONFIG_SLAB_MERGE_DEFAULT |is not set | clipos | self_protection | FAIL: "y" +CONFIG_RANDOM_TRUST_BOOTLOADER |is not set | clipos | self_protection | FAIL: "y" +CONFIG_RANDOM_TRUST_CPU |is not set | clipos | self_protection | FAIL: "y" +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" +CONFIG_STACKLEAK_METRICS |is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_STACKLEAK_RUNTIME_DISABLE |is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" +CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK +CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK +CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" +CONFIG_SECURITY | y |defconfig | security_policy | OK +CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS |is not set | my | security_policy | OK: not found +CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set" +CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK +CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" +CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" +CONFIG_SECCOMP | y |defconfig |cut_attack_surface| OK +CONFIG_SECCOMP_FILTER | y |defconfig |cut_attack_surface| OK +CONFIG_STRICT_DEVMEM | y |defconfig |cut_attack_surface| OK +CONFIG_ACPI_CUSTOM_METHOD |is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT_BRK |is not set | kspp |cut_attack_surface| OK +CONFIG_DEVKMEM |is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT_VDSO |is not set | kspp |cut_attack_surface| OK +CONFIG_BINFMT_MISC |is not set | kspp |cut_attack_surface| FAIL: "m" +CONFIG_INET_DIAG |is not set | kspp |cut_attack_surface| FAIL: "m" +CONFIG_KEXEC |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_PROC_KCORE |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_LEGACY_PTYS |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_HIBERNATION |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_IA32_EMULATION |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_X86_X32 |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_MODIFY_LDT_SYSCALL |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_OABI_COMPAT |is not set | kspp |cut_attack_surface| OK: not found +CONFIG_MODULES |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_DEVMEM |is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_IO_STRICT_DEVMEM | y | kspp |cut_attack_surface| FAIL: "is not set" +CONFIG_LEGACY_VSYSCALL_NONE | y | kspp |cut_attack_surface| FAIL: "is not set" +CONFIG_ZSMALLOC_STAT |is not set |grsecurity|cut_attack_surface| OK +CONFIG_PAGE_OWNER |is not set |grsecurity|cut_attack_surface| OK +CONFIG_DEBUG_KMEMLEAK |is not set |grsecurity|cut_attack_surface| OK +CONFIG_BINFMT_AOUT |is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_KPROBE_EVENTS |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_UPROBE_EVENTS |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_GENERIC_TRACER |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_FUNCTION_TRACER |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_STACK_TRACER |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_HIST_TRIGGERS |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_BLK_DEV_IO_TRACE |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_PROC_VMCORE |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_PROC_PAGE_MONITOR |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_USELIB |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_CHECKPOINT_RESTORE |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_USERFAULTFD |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_HWPOISON_INJECT |is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_MEM_SOFT_DIRTY |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_DEVPORT |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_DEBUG_FS |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_NOTIFIER_ERROR_INJECTION |is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_FAIL_FUTEX |is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_PUNIT_ATOM_DEBUG |is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_ACPI_CONFIGFS |is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_EDAC_DEBUG |is not set |grsecurity|cut_attack_surface| OK +CONFIG_DRM_I915_DEBUG |is not set |grsecurity|cut_attack_surface| OK +CONFIG_BCACHE_CLOSURES_DEBUG |is not set |grsecurity|cut_attack_surface| OK +CONFIG_DVB_C8SECTPFE |is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_MTD_SLRAM |is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_MTD_PHRAM |is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_IO_URING |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_KCMP |is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_RSEQ |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_LATENCYTOP |is not set |grsecurity|cut_attack_surface| OK +CONFIG_KCOV |is not set |grsecurity|cut_attack_surface| OK +CONFIG_PROVIDE_OHCI1394_DMA_INIT |is not set |grsecurity|cut_attack_surface| OK +CONFIG_SUNRPC_DEBUG |is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_PTDUMP_DEBUGFS |is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_DRM_LEGACY |is not set |maintainer|cut_attack_surface| OK +CONFIG_FB |is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_VT |is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_BLK_DEV_FD |is not set |maintainer|cut_attack_surface| FAIL: "m" +CONFIG_AIO |is not set |grapheneos|cut_attack_surface| FAIL: "y" +CONFIG_STAGING |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KSM |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KALLSYMS |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_VSYSCALL_EMULATION |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_MAGIC_SYSRQ |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KEXEC_FILE |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_USER_NS |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_MSR |is not set | clipos |cut_attack_surface| FAIL: "m" +CONFIG_X86_CPUID |is not set | clipos |cut_attack_surface| FAIL: "m" +CONFIG_X86_IOPL_IOPERM |is not set | clipos |cut_attack_surface| OK: not found +CONFIG_ACPI_TABLE_UPGRADE |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |is not set | clipos |cut_attack_surface| OK: not found +CONFIG_LDISC_AUTOLOAD |is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos |cut_attack_surface| OK +CONFIG_EFI_TEST |is not set | lockdown |cut_attack_surface| FAIL: "m" +CONFIG_BPF_SYSCALL |is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_MMIOTRACE_TEST |is not set | lockdown |cut_attack_surface| OK +CONFIG_KPROBES |is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_TRIM_UNUSED_KSYMS | y | my |cut_attack_surface| FAIL: not found +CONFIG_MMIOTRACE |is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_LIVEPATCH |is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_IP_DCCP |is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_IP_SCTP |is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_FTRACE |is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_VIDEO_VIVID |is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_INPUT_EVBUG |is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_INTEGRITY | y |defconfig | harden_userspace | OK +CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos | harden_userspace | FAIL: "28" [+] Config check is finished: 'OK' - 68 / 'FAIL' - 96 ``` -- 2.31.1 From 6bd5fe157dd803e7854fb0c4fb565be9a0ecacc3 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Jan 2022 01:33:43 +0300 Subject: [PATCH 12/16] Add check type --- kconfig_hardened_check/__init__.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index b6ff953..9a2d2c9 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -108,8 +108,12 @@ class OptCheck: class KconfigCheck(OptCheck): + @property + def type(self): + return "kconfig" + def table_print(self, _mode, with_results): - print('CONFIG_{:<33}|{:^11}|{:^10}|{:^18}'.format(self.name, self.expected, self.decision, self.reason), end='') + print('CONFIG_{:<33}|{:^7}|{:^11}|{:^10}|{:^18}'.format(self.name, self.type, self.expected, self.decision, self.reason), end='') if with_results: print('| {}'.format(self.result), end='') @@ -135,7 +139,7 @@ class VerCheck: def table_print(self, _mode, with_results): ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - print('{:<82}'.format(ver_req), end='') + print('{:<90}'.format(ver_req), end='') if with_results: print('| {}'.format(self.result), end='') @@ -154,7 +158,7 @@ class PresenceCheck: return True def table_print(self, _mode, with_results): - print('CONFIG_{:<75}'.format(self.name + ' is present'), end='') + print('CONFIG_{:<83}'.format(self.name + ' is present'), end='') if with_results: print('| {}'.format(self.result), end='') @@ -186,7 +190,7 @@ class ComplexOptCheck: def table_print(self, mode, with_results): if mode == 'verbose': - print(' {:78}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') + print(' {:86}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') if with_results: print('| {}'.format(self.result), end='') for o in self.opts: @@ -630,7 +634,7 @@ def print_checklist(mode, checklist, with_results): if with_results: sep_line_len += 30 print('=' * sep_line_len) - print('{:^40}|{:^11}|{:^10}|{:^18}'.format('kconfig option name', 'desired val', 'decision', 'reason'), end='') + print('{:^40}|{:^7}|{:^11}|{:^10}|{:^18}'.format('option name', 'type', 'desired val', 'decision', 'reason'), end='') if with_results: print('| {}'.format('check result'), end='') print() -- 2.31.1 From 9049d3fa83f52491eebb393a7a50b5a6fe07cdda Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Jan 2022 01:35:42 +0300 Subject: [PATCH 13/16] Update the example output in the README --- README.md | 330 +++++++++++++++++++++++++++--------------------------- 1 file changed, 165 insertions(+), 165 deletions(-) diff --git a/README.md b/README.md index bb6cb5b..9444180 100644 --- a/README.md +++ b/README.md @@ -88,172 +88,172 @@ $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ub [+] Detected architecture: X86_64 [+] Detected kernel version: 5.4 ========================================================================================================================= - kconfig option name |desired val| decision | reason | check result + option name | type |desired val| decision | reason | check result ========================================================================================================================= -CONFIG_BUG | y |defconfig | self_protection | OK -CONFIG_SLUB_DEBUG | y |defconfig | self_protection | OK -CONFIG_GCC_PLUGINS | y |defconfig | self_protection | FAIL: not found -CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection | OK -CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection | OK -CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection | OK -CONFIG_REFCOUNT_FULL | y |defconfig | self_protection | FAIL: "is not set" -CONFIG_IOMMU_SUPPORT | y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection | OK -CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection | OK -CONFIG_VMAP_STACK | y |defconfig | self_protection | OK -CONFIG_MICROCODE | y |defconfig | self_protection | OK -CONFIG_RETPOLINE | y |defconfig | self_protection | OK -CONFIG_X86_SMAP | y |defconfig | self_protection | OK -CONFIG_SYN_COOKIES | y |defconfig | self_protection | OK -CONFIG_X86_UMIP | y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" -CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection | OK -CONFIG_INTEL_IOMMU | y |defconfig | self_protection | OK -CONFIG_AMD_IOMMU | y |defconfig | self_protection | OK -CONFIG_SECURITY_DMESG_RESTRICT | y | kspp | self_protection | FAIL: "is not set" -CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_WX | y | kspp | self_protection | OK -CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection | OK -CONFIG_SHUFFLE_PAGE_ALLOCATOR | y | kspp | self_protection | OK -CONFIG_FORTIFY_SOURCE | y | kspp | self_protection | OK -CONFIG_DEBUG_LIST | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_SG | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_ON_ALLOC_DEFAULT_ON | y | kspp | self_protection | OK -CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection | FAIL: not found -CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: not found -CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK -CONFIG_HARDENED_USERCOPY_FALLBACK |is not set | kspp | self_protection | FAIL: "y" -CONFIG_HARDENED_USERCOPY_PAGESPAN |is not set | kspp | self_protection | OK -CONFIG_MODULE_SIG | y | kspp | self_protection | OK -CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK -CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK -CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | FAIL: not found -CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" -CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found -CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | FAIL: not found -CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK -CONFIG_UBSAN_BOUNDS | y |maintainer| self_protection | FAIL: not found -CONFIG_UBSAN_SANITIZE_ALL | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" -CONFIG_UBSAN_TRAP | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" -CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" -CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" -CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found -CONFIG_SLAB_MERGE_DEFAULT |is not set | clipos | self_protection | FAIL: "y" -CONFIG_RANDOM_TRUST_BOOTLOADER |is not set | clipos | self_protection | FAIL: "y" -CONFIG_RANDOM_TRUST_CPU |is not set | clipos | self_protection | FAIL: "y" -CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" -CONFIG_STACKLEAK_METRICS |is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" -CONFIG_STACKLEAK_RUNTIME_DISABLE |is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" -CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" -CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK -CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK -CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" -CONFIG_SECURITY | y |defconfig | security_policy | OK -CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK -CONFIG_SECURITY_WRITABLE_HOOKS |is not set | my | security_policy | OK: not found -CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK -CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set" -CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK -CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" -CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" -CONFIG_SECCOMP | y |defconfig |cut_attack_surface| OK -CONFIG_SECCOMP_FILTER | y |defconfig |cut_attack_surface| OK -CONFIG_STRICT_DEVMEM | y |defconfig |cut_attack_surface| OK -CONFIG_ACPI_CUSTOM_METHOD |is not set | kspp |cut_attack_surface| OK -CONFIG_COMPAT_BRK |is not set | kspp |cut_attack_surface| OK -CONFIG_DEVKMEM |is not set | kspp |cut_attack_surface| OK -CONFIG_COMPAT_VDSO |is not set | kspp |cut_attack_surface| OK -CONFIG_BINFMT_MISC |is not set | kspp |cut_attack_surface| FAIL: "m" -CONFIG_INET_DIAG |is not set | kspp |cut_attack_surface| FAIL: "m" -CONFIG_KEXEC |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_PROC_KCORE |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_LEGACY_PTYS |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_HIBERNATION |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_IA32_EMULATION |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_X86_X32 |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_MODIFY_LDT_SYSCALL |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_OABI_COMPAT |is not set | kspp |cut_attack_surface| OK: not found -CONFIG_MODULES |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_DEVMEM |is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_IO_STRICT_DEVMEM | y | kspp |cut_attack_surface| FAIL: "is not set" -CONFIG_LEGACY_VSYSCALL_NONE | y | kspp |cut_attack_surface| FAIL: "is not set" -CONFIG_ZSMALLOC_STAT |is not set |grsecurity|cut_attack_surface| OK -CONFIG_PAGE_OWNER |is not set |grsecurity|cut_attack_surface| OK -CONFIG_DEBUG_KMEMLEAK |is not set |grsecurity|cut_attack_surface| OK -CONFIG_BINFMT_AOUT |is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_KPROBE_EVENTS |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_UPROBE_EVENTS |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_GENERIC_TRACER |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_FUNCTION_TRACER |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_STACK_TRACER |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_HIST_TRIGGERS |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_BLK_DEV_IO_TRACE |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_PROC_VMCORE |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_PROC_PAGE_MONITOR |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_USELIB |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_CHECKPOINT_RESTORE |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_USERFAULTFD |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_HWPOISON_INJECT |is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_MEM_SOFT_DIRTY |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_DEVPORT |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_DEBUG_FS |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_NOTIFIER_ERROR_INJECTION |is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_FAIL_FUTEX |is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_PUNIT_ATOM_DEBUG |is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_ACPI_CONFIGFS |is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_EDAC_DEBUG |is not set |grsecurity|cut_attack_surface| OK -CONFIG_DRM_I915_DEBUG |is not set |grsecurity|cut_attack_surface| OK -CONFIG_BCACHE_CLOSURES_DEBUG |is not set |grsecurity|cut_attack_surface| OK -CONFIG_DVB_C8SECTPFE |is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_MTD_SLRAM |is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_MTD_PHRAM |is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_IO_URING |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_KCMP |is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_RSEQ |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_LATENCYTOP |is not set |grsecurity|cut_attack_surface| OK -CONFIG_KCOV |is not set |grsecurity|cut_attack_surface| OK -CONFIG_PROVIDE_OHCI1394_DMA_INIT |is not set |grsecurity|cut_attack_surface| OK -CONFIG_SUNRPC_DEBUG |is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_PTDUMP_DEBUGFS |is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_DRM_LEGACY |is not set |maintainer|cut_attack_surface| OK -CONFIG_FB |is not set |maintainer|cut_attack_surface| FAIL: "y" -CONFIG_VT |is not set |maintainer|cut_attack_surface| FAIL: "y" -CONFIG_BLK_DEV_FD |is not set |maintainer|cut_attack_surface| FAIL: "m" -CONFIG_AIO |is not set |grapheneos|cut_attack_surface| FAIL: "y" -CONFIG_STAGING |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_KSM |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_KALLSYMS |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_X86_VSYSCALL_EMULATION |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_MAGIC_SYSRQ |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_KEXEC_FILE |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_USER_NS |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_X86_MSR |is not set | clipos |cut_attack_surface| FAIL: "m" -CONFIG_X86_CPUID |is not set | clipos |cut_attack_surface| FAIL: "m" -CONFIG_X86_IOPL_IOPERM |is not set | clipos |cut_attack_surface| OK: not found -CONFIG_ACPI_TABLE_UPGRADE |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |is not set | clipos |cut_attack_surface| OK: not found -CONFIG_LDISC_AUTOLOAD |is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos |cut_attack_surface| OK -CONFIG_EFI_TEST |is not set | lockdown |cut_attack_surface| FAIL: "m" -CONFIG_BPF_SYSCALL |is not set | lockdown |cut_attack_surface| FAIL: "y" -CONFIG_MMIOTRACE_TEST |is not set | lockdown |cut_attack_surface| OK -CONFIG_KPROBES |is not set | lockdown |cut_attack_surface| FAIL: "y" -CONFIG_TRIM_UNUSED_KSYMS | y | my |cut_attack_surface| FAIL: not found -CONFIG_MMIOTRACE |is not set | my |cut_attack_surface| FAIL: "y" -CONFIG_LIVEPATCH |is not set | my |cut_attack_surface| FAIL: "y" -CONFIG_IP_DCCP |is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_IP_SCTP |is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_FTRACE |is not set | my |cut_attack_surface| FAIL: "y" -CONFIG_VIDEO_VIVID |is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_INPUT_EVBUG |is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_INTEGRITY | y |defconfig | harden_userspace | OK -CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos | harden_userspace | FAIL: "28" +CONFIG_BUG |kconfig| y |defconfig | self_protection | OK +CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK +CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: not found +CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK +CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK +CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK +CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: "is not set" +CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK +CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK +CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK +CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK +CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK +CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK +CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK +CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" +CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK +CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK +CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK +CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_WX |kconfig| y | kspp | self_protection | OK +CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK +CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK +CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK +CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK +CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK +CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig|is not set | kspp | self_protection | FAIL: "y" +CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig|is not set | kspp | self_protection | OK +CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK +CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK +CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK +CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" +CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK +CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found +CONFIG_UBSAN_SANITIZE_ALL |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" +CONFIG_UBSAN_TRAP |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" +CONFIG_DEBUG_VIRTUAL |kconfig| y | clipos | self_protection | FAIL: "is not set" +CONFIG_STATIC_USERMODEHELPER |kconfig| y | clipos | self_protection | FAIL: "is not set" +CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | clipos | self_protection | FAIL: not found +CONFIG_SLAB_MERGE_DEFAULT |kconfig|is not set | clipos | self_protection | FAIL: "y" +CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig|is not set | clipos | self_protection | FAIL: "y" +CONFIG_RANDOM_TRUST_CPU |kconfig|is not set | clipos | self_protection | FAIL: "y" +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" +CONFIG_STACKLEAK_METRICS |kconfig|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set" +CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK +CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | OK +CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m" +CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK +CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS |kconfig|is not set | my | security_policy | OK: not found +CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set" +CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | OK +CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set" +CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" +CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK +CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK +CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK +CONFIG_ACPI_CUSTOM_METHOD |kconfig|is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT_BRK |kconfig|is not set | kspp |cut_attack_surface| OK +CONFIG_DEVKMEM |kconfig|is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT_VDSO |kconfig|is not set | kspp |cut_attack_surface| OK +CONFIG_BINFMT_MISC |kconfig|is not set | kspp |cut_attack_surface| FAIL: "m" +CONFIG_INET_DIAG |kconfig|is not set | kspp |cut_attack_surface| FAIL: "m" +CONFIG_KEXEC |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_PROC_KCORE |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_LEGACY_PTYS |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_HIBERNATION |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_IA32_EMULATION |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_X86_X32 |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_MODIFY_LDT_SYSCALL |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_OABI_COMPAT |kconfig|is not set | kspp |cut_attack_surface| OK: not found +CONFIG_MODULES |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_DEVMEM |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" +CONFIG_LEGACY_VSYSCALL_NONE |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" +CONFIG_ZSMALLOC_STAT |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_PAGE_OWNER |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_DEBUG_KMEMLEAK |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_BINFMT_AOUT |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_KPROBE_EVENTS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_UPROBE_EVENTS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_GENERIC_TRACER |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_FUNCTION_TRACER |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_STACK_TRACER |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_HIST_TRIGGERS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_BLK_DEV_IO_TRACE |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_PROC_VMCORE |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_PROC_PAGE_MONITOR |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_USELIB |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_CHECKPOINT_RESTORE |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_USERFAULTFD |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_HWPOISON_INJECT |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_MEM_SOFT_DIRTY |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_DEVPORT |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_DEBUG_FS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_NOTIFIER_ERROR_INJECTION |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_FAIL_FUTEX |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_PUNIT_ATOM_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_ACPI_CONFIGFS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_EDAC_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_DRM_I915_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_BCACHE_CLOSURES_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_DVB_C8SECTPFE |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_MTD_SLRAM |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_MTD_PHRAM |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" +CONFIG_IO_URING |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_KCMP |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_RSEQ |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_LATENCYTOP |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_KCOV |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig|is not set |grsecurity|cut_attack_surface| OK +CONFIG_SUNRPC_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" +CONFIG_PTDUMP_DEBUGFS |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found +CONFIG_DRM_LEGACY |kconfig|is not set |maintainer|cut_attack_surface| OK +CONFIG_FB |kconfig|is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_VT |kconfig|is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_BLK_DEV_FD |kconfig|is not set |maintainer|cut_attack_surface| FAIL: "m" +CONFIG_AIO |kconfig|is not set |grapheneos|cut_attack_surface| FAIL: "y" +CONFIG_STAGING |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KSM |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KALLSYMS |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_VSYSCALL_EMULATION |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_MAGIC_SYSRQ |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KEXEC_FILE |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_USER_NS |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_MSR |kconfig|is not set | clipos |cut_attack_surface| FAIL: "m" +CONFIG_X86_CPUID |kconfig|is not set | clipos |cut_attack_surface| FAIL: "m" +CONFIG_X86_IOPL_IOPERM |kconfig|is not set | clipos |cut_attack_surface| OK: not found +CONFIG_ACPI_TABLE_UPGRADE |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig|is not set | clipos |cut_attack_surface| OK: not found +CONFIG_LDISC_AUTOLOAD |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK +CONFIG_EFI_TEST |kconfig|is not set | lockdown |cut_attack_surface| FAIL: "m" +CONFIG_BPF_SYSCALL |kconfig|is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_MMIOTRACE_TEST |kconfig|is not set | lockdown |cut_attack_surface| OK +CONFIG_KPROBES |kconfig|is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found +CONFIG_MMIOTRACE |kconfig|is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_LIVEPATCH |kconfig|is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_IP_DCCP |kconfig|is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_IP_SCTP |kconfig|is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_FTRACE |kconfig|is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_VIDEO_VIVID |kconfig|is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_INPUT_EVBUG |kconfig|is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK +CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28" [+] Config check is finished: 'OK' - 68 / 'FAIL' - 96 ``` -- 2.31.1 From ad724694fa583d586edce7f0339b8c1635611870 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Jan 2022 02:19:05 +0300 Subject: [PATCH 14/16] Do more output tuning --- kconfig_hardened_check/__init__.py | 90 +++++++++++++++--------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 9a2d2c9..ae51ca0 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -113,7 +113,7 @@ class KconfigCheck(OptCheck): return "kconfig" def table_print(self, _mode, with_results): - print('CONFIG_{:<33}|{:^7}|{:^11}|{:^10}|{:^18}'.format(self.name, self.type, self.expected, self.decision, self.reason), end='') + print('CONFIG_{:<33}|{:^7}|{:^12}|{:^10}|{:^18}'.format(self.name, self.type, self.expected, self.decision, self.reason), end='') if with_results: print('| {}'.format(self.result), end='') @@ -139,7 +139,7 @@ class VerCheck: def table_print(self, _mode, with_results): ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) - print('{:<90}'.format(ver_req), end='') + print('{:<91}'.format(ver_req), end='') if with_results: print('| {}'.format(self.result), end='') @@ -158,7 +158,7 @@ class PresenceCheck: return True def table_print(self, _mode, with_results): - print('CONFIG_{:<83}'.format(self.name + ' is present'), end='') + print('CONFIG_{:<84}'.format(self.name + ' is present'), end='') if with_results: print('| {}'.format(self.result), end='') @@ -190,7 +190,7 @@ class ComplexOptCheck: def table_print(self, mode, with_results): if mode == 'verbose': - print(' {:86}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') + print(' {:87}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='') if with_results: print('| {}'.format(self.result), end='') for o in self.opts: @@ -501,46 +501,46 @@ def construct_checklist(l, arch): if arch == 'X86_64': l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none' - # 'cut_attack_surface', 'grsecurity' - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ZSMALLOC_STAT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KPROBE_EVENTS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'UPROBE_EVENTS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FUNCTION_TRACER', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'STACK_TRACER', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HIST_TRIGGERS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BLK_DEV_IO_TRACE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_PAGE_MONITOR', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USELIB', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'CHECKPOINT_RESTORE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USERFAULTFD', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HWPOISON_INJECT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FAIL_FUTEX', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PUNIT_ATOM_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ACPI_CONFIGFS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'EDAC_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DRM_I915_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BCACHE_CLOSURES_DEBUG', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'IO_URING', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCMP', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'RSEQ', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'LATENCYTOP', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')] - l += [AND(KconfigCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set'), - KconfigCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))] + # 'cut_attack_surface', 'grsec' + l += [KconfigCheck('cut_attack_surface', 'grsec', 'ZSMALLOC_STAT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PAGE_OWNER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_KMEMLEAK', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BINFMT_AOUT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'KPROBE_EVENTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'UPROBE_EVENTS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsec', 'FUNCTION_TRACER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'STACK_TRACER', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'HIST_TRIGGERS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BLK_DEV_IO_TRACE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROC_VMCORE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROC_PAGE_MONITOR', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'USELIB', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'CHECKPOINT_RESTORE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'USERFAULTFD', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'HWPOISON_INJECT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MEM_SOFT_DIRTY', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DEVPORT', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN + l += [KconfigCheck('cut_attack_surface', 'grsec', 'NOTIFIER_ERROR_INJECTION', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'FAIL_FUTEX', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PUNIT_ATOM_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'ACPI_CONFIGFS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'EDAC_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DRM_I915_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'BCACHE_CLOSURES_DEBUG', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'DVB_C8SECTPFE', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MTD_SLRAM', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'MTD_PHRAM', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'IO_URING', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'KCMP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'RSEQ', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'LATENCYTOP', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'KCOV', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'grsec', 'SUNRPC_DEBUG', 'is not set')] + l += [AND(KconfigCheck('cut_attack_surface', 'grsec', 'PTDUMP_DEBUGFS', 'is not set'), + KconfigCheck('cut_attack_surface', 'grsec', 'X86_PTDUMP', 'is not set'))] # 'cut_attack_surface', 'maintainer' l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 @@ -634,7 +634,7 @@ def print_checklist(mode, checklist, with_results): if with_results: sep_line_len += 30 print('=' * sep_line_len) - print('{:^40}|{:^7}|{:^11}|{:^10}|{:^18}'.format('option name', 'type', 'desired val', 'decision', 'reason'), end='') + print('{:^40}|{:^7}|{:^12}|{:^10}|{:^18}'.format('option name', 'type', 'desired val', 'decision', 'reason'), end='') if with_results: print('| {}'.format('check result'), end='') print() -- 2.31.1 From b12077a9ad1d0463a09c0a4e7321a7e016dc92bf Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Jan 2022 02:22:37 +0300 Subject: [PATCH 15/16] Update the example output in the README (yes, now I like it!) --- README.md | 330 +++++++++++++++++++++++++++--------------------------- 1 file changed, 165 insertions(+), 165 deletions(-) diff --git a/README.md b/README.md index 9444180..ceaf76b 100644 --- a/README.md +++ b/README.md @@ -88,172 +88,172 @@ $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ub [+] Detected architecture: X86_64 [+] Detected kernel version: 5.4 ========================================================================================================================= - option name | type |desired val| decision | reason | check result + option name | type |desired val | decision | reason | check result ========================================================================================================================= -CONFIG_BUG |kconfig| y |defconfig | self_protection | OK -CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK -CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: not found -CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK -CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK -CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK -CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: "is not set" -CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK -CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK -CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK -CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK -CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK -CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK -CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK -CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" -CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK -CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK -CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK -CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK -CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_WX |kconfig| y | kspp | self_protection | OK -CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK -CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK -CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK -CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK -CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK -CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: not found -CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: not found -CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK -CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig|is not set | kspp | self_protection | FAIL: "y" -CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig|is not set | kspp | self_protection | OK -CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK -CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK -CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK -CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: not found -CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" -CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: not found -CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: not found -CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK -CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found -CONFIG_UBSAN_SANITIZE_ALL |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" -CONFIG_UBSAN_TRAP |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" -CONFIG_DEBUG_VIRTUAL |kconfig| y | clipos | self_protection | FAIL: "is not set" -CONFIG_STATIC_USERMODEHELPER |kconfig| y | clipos | self_protection | FAIL: "is not set" -CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | clipos | self_protection | FAIL: not found -CONFIG_SLAB_MERGE_DEFAULT |kconfig|is not set | clipos | self_protection | FAIL: "y" -CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig|is not set | clipos | self_protection | FAIL: "y" -CONFIG_RANDOM_TRUST_CPU |kconfig|is not set | clipos | self_protection | FAIL: "y" -CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" -CONFIG_STACKLEAK_METRICS |kconfig|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" -CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig|is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" -CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set" -CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK -CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | OK -CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m" -CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK -CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK -CONFIG_SECURITY_WRITABLE_HOOKS |kconfig|is not set | my | security_policy | OK: not found -CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK -CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set" -CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | OK -CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set" -CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" -CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK -CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK -CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK -CONFIG_ACPI_CUSTOM_METHOD |kconfig|is not set | kspp |cut_attack_surface| OK -CONFIG_COMPAT_BRK |kconfig|is not set | kspp |cut_attack_surface| OK -CONFIG_DEVKMEM |kconfig|is not set | kspp |cut_attack_surface| OK -CONFIG_COMPAT_VDSO |kconfig|is not set | kspp |cut_attack_surface| OK -CONFIG_BINFMT_MISC |kconfig|is not set | kspp |cut_attack_surface| FAIL: "m" -CONFIG_INET_DIAG |kconfig|is not set | kspp |cut_attack_surface| FAIL: "m" -CONFIG_KEXEC |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_PROC_KCORE |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_LEGACY_PTYS |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_HIBERNATION |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_IA32_EMULATION |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_X86_X32 |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_MODIFY_LDT_SYSCALL |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_OABI_COMPAT |kconfig|is not set | kspp |cut_attack_surface| OK: not found -CONFIG_MODULES |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_DEVMEM |kconfig|is not set | kspp |cut_attack_surface| FAIL: "y" -CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" -CONFIG_LEGACY_VSYSCALL_NONE |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" -CONFIG_ZSMALLOC_STAT |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_PAGE_OWNER |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_DEBUG_KMEMLEAK |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_BINFMT_AOUT |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_KPROBE_EVENTS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_UPROBE_EVENTS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_GENERIC_TRACER |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_FUNCTION_TRACER |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_STACK_TRACER |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_HIST_TRIGGERS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_BLK_DEV_IO_TRACE |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_PROC_VMCORE |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_PROC_PAGE_MONITOR |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_USELIB |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_CHECKPOINT_RESTORE |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_USERFAULTFD |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_HWPOISON_INJECT |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_MEM_SOFT_DIRTY |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_DEVPORT |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_DEBUG_FS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_NOTIFIER_ERROR_INJECTION |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_FAIL_FUTEX |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_PUNIT_ATOM_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_ACPI_CONFIGFS |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_EDAC_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_DRM_I915_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_BCACHE_CLOSURES_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_DVB_C8SECTPFE |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_MTD_SLRAM |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_MTD_PHRAM |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "m" -CONFIG_IO_URING |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_KCMP |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_RSEQ |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_LATENCYTOP |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_KCOV |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig|is not set |grsecurity|cut_attack_surface| OK -CONFIG_SUNRPC_DEBUG |kconfig|is not set |grsecurity|cut_attack_surface| FAIL: "y" -CONFIG_PTDUMP_DEBUGFS |kconfig|is not set |grsecurity|cut_attack_surface| OK: not found -CONFIG_DRM_LEGACY |kconfig|is not set |maintainer|cut_attack_surface| OK -CONFIG_FB |kconfig|is not set |maintainer|cut_attack_surface| FAIL: "y" -CONFIG_VT |kconfig|is not set |maintainer|cut_attack_surface| FAIL: "y" -CONFIG_BLK_DEV_FD |kconfig|is not set |maintainer|cut_attack_surface| FAIL: "m" -CONFIG_AIO |kconfig|is not set |grapheneos|cut_attack_surface| FAIL: "y" -CONFIG_STAGING |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_KSM |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_KALLSYMS |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_X86_VSYSCALL_EMULATION |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_MAGIC_SYSRQ |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_KEXEC_FILE |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_USER_NS |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_X86_MSR |kconfig|is not set | clipos |cut_attack_surface| FAIL: "m" -CONFIG_X86_CPUID |kconfig|is not set | clipos |cut_attack_surface| FAIL: "m" -CONFIG_X86_IOPL_IOPERM |kconfig|is not set | clipos |cut_attack_surface| OK: not found -CONFIG_ACPI_TABLE_UPGRADE |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig|is not set | clipos |cut_attack_surface| OK: not found -CONFIG_LDISC_AUTOLOAD |kconfig|is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK -CONFIG_EFI_TEST |kconfig|is not set | lockdown |cut_attack_surface| FAIL: "m" -CONFIG_BPF_SYSCALL |kconfig|is not set | lockdown |cut_attack_surface| FAIL: "y" -CONFIG_MMIOTRACE_TEST |kconfig|is not set | lockdown |cut_attack_surface| OK -CONFIG_KPROBES |kconfig|is not set | lockdown |cut_attack_surface| FAIL: "y" -CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found -CONFIG_MMIOTRACE |kconfig|is not set | my |cut_attack_surface| FAIL: "y" -CONFIG_LIVEPATCH |kconfig|is not set | my |cut_attack_surface| FAIL: "y" -CONFIG_IP_DCCP |kconfig|is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_IP_SCTP |kconfig|is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_FTRACE |kconfig|is not set | my |cut_attack_surface| FAIL: "y" -CONFIG_VIDEO_VIVID |kconfig|is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_INPUT_EVBUG |kconfig|is not set | my |cut_attack_surface| FAIL: "m" -CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK -CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28" +CONFIG_BUG |kconfig| y |defconfig | self_protection | OK +CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK +CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: not found +CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK +CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK +CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK +CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: "is not set" +CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK +CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK +CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK +CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK +CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK +CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK +CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK +CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK: CONFIG_X86_INTEL_UMIP "y" +CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK +CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK +CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK +CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK +CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_WX |kconfig| y | kspp | self_protection | OK +CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK +CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK +CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK +CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK +CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK +CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK +CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | FAIL: "y" +CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK +CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK +CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK +CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK +CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set" +CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" +CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK +CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found +CONFIG_UBSAN_SANITIZE_ALL |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" +CONFIG_UBSAN_TRAP |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" +CONFIG_DEBUG_VIRTUAL |kconfig| y | clipos | self_protection | FAIL: "is not set" +CONFIG_STATIC_USERMODEHELPER |kconfig| y | clipos | self_protection | FAIL: "is not set" +CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | clipos | self_protection | FAIL: not found +CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | FAIL: "y" +CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig| is not set | clipos | self_protection | FAIL: "y" +CONFIG_RANDOM_TRUST_CPU |kconfig| is not set | clipos | self_protection | FAIL: "y" +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" +CONFIG_STACKLEAK_METRICS |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set" +CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK +CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | OK +CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m" +CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK +CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK +CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found +CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set" +CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | OK +CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set" +CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" +CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK +CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK +CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK +CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK +CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK +CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK +CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" +CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" +CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: not found +CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" +CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" +CONFIG_LEGACY_VSYSCALL_NONE |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" +CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: not found +CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" +CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" +CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: not found +CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" +CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" +CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: not found +CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" +CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m" +CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| OK: not found +CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| OK +CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y" +CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK: not found +CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK +CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" +CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m" +CONFIG_AIO |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y" +CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_MSR |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m" +CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m" +CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| OK: not found +CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| OK: not found +CONFIG_LDISC_AUTOLOAD |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" +CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK +CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m" +CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK +CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found +CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y" +CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| FAIL: "m" +CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK +CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28" [+] Config check is finished: 'OK' - 68 / 'FAIL' - 96 ``` -- 2.31.1 From 544d7841bc52e90bab27500ddf70ec46e4c514b8 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 23 Jan 2022 00:33:04 +0300 Subject: [PATCH 16/16] ComplexOptCheck type has the type of the first opt in it --- kconfig_hardened_check/__init__.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index ae51ca0..f1de819 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -176,6 +176,10 @@ class ComplexOptCheck: def name(self): return self.opts[0].name + @property + def type(self): + return self.opts[0].type + @property def expected(self): return self.opts[0].expected -- 2.31.1