Attribute some of my recommendations to CLIP OS - part II

They have a bigger authority :) Refers to the issue #19 by @HacKurx

Attribute some of my recommendations to CLIP OS - part II
They have a bigger authority :) Refers to the issue #19 by @HacKurx
4707be6d · Alexander Popov · 26391024 · 4707be6d · 4707be6d
Commit 4707be6d authored Jun 03, 2019 by Alexander Popov
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 14 deletions

README.md README.md +5 -5

kconfig-hardened-check.py kconfig-hardened-check.py +9 -9

No files found.
--- a/README.md
+++ b/README.md
@@ -95,6 +95,9 @@ CONFIG_DEBUG_VIRTUAL                    |      y      |  clipos  |  self_protect
 CONFIG_STATIC_USERMODEHELPER            |      y      |  clipos  |  self_protection   ||     FAIL: "is not set"     
 CONFIG_SLAB_MERGE_DEFAULT               | is not set  |  clipos  |  self_protection   ||         FAIL: "y"          
 CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE| is not set  |  clipos  |  self_protection   ||FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
+CONFIG_GCC_PLUGIN_STACKLEAK             |      y      |  clipos  |  self_protection   ||      FAIL: not found       
+CONFIG_STACKLEAK_METRICS                | is not set  |  clipos  |  self_protection   ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
+CONFIG_STACKLEAK_RUNTIME_DISABLE        | is not set  |  clipos  |  self_protection   ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
 CONFIG_RANDOM_TRUST_CPU                 | is not set  |  clipos  |  self_protection   ||       OK: not found        
 CONFIG_MICROCODE                        |      y      |  clipos  |  self_protection   ||             OK             
 CONFIG_X86_MSR                          |      y      |  clipos  |  self_protection   ||         FAIL: "m"          
@@ -104,9 +107,6 @@ CONFIG_INTEL_IOMMU_SVM                  |      y      |  clipos  |  self_protect
 CONFIG_INTEL_IOMMU_DEFAULT_ON           |      y      |  clipos  |  self_protection   ||     FAIL: "is not set"     
 CONFIG_AMD_IOMMU                        |      y      |    my    |  self_protection   ||             OK             
 CONFIG_AMD_IOMMU_V2                     |      y      |    my    |  self_protection   ||         FAIL: "m"          
-CONFIG_GCC_PLUGIN_STACKLEAK             |      y      |    my    |  self_protection   ||      FAIL: not found       
-CONFIG_STACKLEAK_METRICS                | is not set  |    my    |  self_protection   ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
-CONFIG_STACKLEAK_RUNTIME_DISABLE        | is not set  |    my    |  self_protection   ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
 CONFIG_SLUB_DEBUG_ON                    |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
 CONFIG_SECURITY_LOADPIN                 |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
 CONFIG_RESET_ATTACK_MITIGATION          |      y      |    my    |  self_protection   ||             OK             
@@ -163,14 +163,14 @@ CONFIG_KALLSYMS                         | is not set  |  clipos  | cut_attack_su
 CONFIG_X86_VSYSCALL_EMULATION           | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_MAGIC_SYSRQ                      | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_KEXEC_FILE                       | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
+CONFIG_USER_NS                          | is not set  |  clipos  | cut_attack_surface ||         FAIL: "y"          
 CONFIG_MMIOTRACE                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_LIVEPATCH                        | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
-CONFIG_USER_NS                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_IP_DCCP                          | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
 CONFIG_IP_SCTP                          | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
 CONFIG_FTRACE                           | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_BPF_JIT                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
-CONFIG_ARCH_MMAP_RND_BITS               |     32      |    my    |userspace_protection||         FAIL: "28"         
+CONFIG_ARCH_MMAP_RND_BITS               |     32      |  clipos  |userspace_protection||         FAIL: "28"         

 [+] config check is finished: 'OK' - 49 / 'FAIL' - 71
 ```

--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -247,6 +247,13 @@ def construct_checklist(arch):
    checklist.append(OptCheck('SLAB_MERGE_DEFAULT',                    'is not set', 'clipos', 'self_protection')) # slab_nomerge
    checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \
                         randstruct_is_set))
+    if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
+        stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK',       'y', 'clipos', 'self_protection')
+        checklist.append(stackleak_is_set)
+        checklist.append(AND(OptCheck('STACKLEAK_METRICS',        'is not set', 'clipos', 'self_protection'), \
+                             stackleak_is_set))
+        checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE','is not set', 'clipos', 'self_protection'), \
+                             stackleak_is_set))
    if debug_mode or arch == 'X86_64' or arch == 'X86_32':
        checklist.append(OptCheck('RANDOM_TRUST_CPU',             'is not set', 'clipos', 'self_protection'))
        checklist.append(OptCheck('MICROCODE',                    'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs
@@ -265,13 +272,6 @@ def construct_checklist(arch):
                             iommu_support_is_set))
        checklist.append(AND(OptCheck('AMD_IOMMU_V2',             'y', 'my', 'self_protection'), \
                             iommu_support_is_set))
-    if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
-        stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK',       'y', 'my', 'self_protection')
-        checklist.append(stackleak_is_set)
-        checklist.append(AND(OptCheck('STACKLEAK_METRICS',        'is not set', 'my', 'self_protection'), \
-                             stackleak_is_set))
-        checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE','is not set', 'my', 'self_protection'), \
-                             stackleak_is_set))
    checklist.append(OptCheck('SLUB_DEBUG_ON',                    'y', 'my', 'self_protection'))
    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection')) # needs userspace support
    checklist.append(OptCheck('RESET_ATTACK_MITIGATION',          'y', 'my', 'self_protection')) # needs userspace support (systemd)
@@ -352,10 +352,10 @@ def construct_checklist(arch):
    checklist.append(OptCheck('X86_VSYSCALL_EMULATION',   'is not set', 'clipos', 'cut_attack_surface'))
    checklist.append(OptCheck('MAGIC_SYSRQ',              'is not set', 'clipos', 'cut_attack_surface'))
    checklist.append(OptCheck('KEXEC_FILE',               'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
+    checklist.append(OptCheck('USER_NS',                  'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0

    checklist.append(OptCheck('MMIOTRACE',            'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
    checklist.append(OptCheck('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'))
-    checklist.append(OptCheck('USER_NS',              'is not set', 'my', 'cut_attack_surface')) # user.max_user_namespaces=0
    checklist.append(OptCheck('IP_DCCP',              'is not set', 'my', 'cut_attack_surface'))
    checklist.append(OptCheck('IP_SCTP',              'is not set', 'my', 'cut_attack_surface'))
    checklist.append(OptCheck('FTRACE',               'is not set', 'my', 'cut_attack_surface'))
@@ -366,7 +366,7 @@ def construct_checklist(arch):
    if debug_mode or arch == 'ARM64':
        checklist.append(OptCheck('ARM64_PTR_AUTH',       'y', 'defconfig', 'userspace_protection'))
    if debug_mode or arch == 'X86_64' or arch == 'ARM64':
-        checklist.append(OptCheck('ARCH_MMAP_RND_BITS',   '32', 'my', 'userspace_protection'))
+        checklist.append(OptCheck('ARCH_MMAP_RND_BITS',   '32', 'clipos', 'userspace_protection'))
    if debug_mode or arch == 'X86_32' or arch == 'ARM':
        checklist.append(OptCheck('ARCH_MMAP_RND_BITS',   '16', 'my', 'userspace_protection'))