Support separate sysctl checking (without kconfig)

6cf9979c · Alexander Popov · ac93b409 · 6cf9979c · 6cf9979c
Commit 6cf9979c authored Aug 27, 2023 by Alexander Popov
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 6 deletions

__init__.py kconfig_hardened_check/__init__.py +28 -4

checks.py kconfig_hardened_check/checks.py +8 -2

No files found.
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -258,7 +258,6 @@ def main():
    if args.config:
        if args.print:
            sys.exit('[!] ERROR: --config and --print can\'t be used together')
-
        if args.generate:
            sys.exit('[!] ERROR: --config and --generate can\'t be used together')

@@ -338,13 +337,38 @@ def main():

        # finally print the results
        print_checklist(mode, config_checklist, True)
-
        sys.exit(0)
    elif args.cmdline:
        sys.exit('[!] ERROR: checking cmdline depends on checking Kconfig')
    elif args.sysctl:
-        # TODO: sysctl check should also work separately
-        sys.exit('[!] ERROR: checking sysctl depends on checking Kconfig')
+        # separate sysctl checking (without kconfig)
+        assert(args.config is None and args.cmdline is None), 'unexpected args'
+        if args.print:
+            sys.exit('[!] ERROR: --sysctl and --print can\'t be used together')
+        if args.generate:
+            sys.exit('[!] ERROR: --sysctl and --generate can\'t be used together')
+
+        if mode != 'json':
+            print(f'[+] Sysctl output file to check: {args.sysctl}')
+
+        # add relevant sysctl checks to the checklist
+        add_sysctl_checks(config_checklist, None)
+
+        # populate the checklist with the parsed sysctl data
+        parsed_sysctl_options = OrderedDict()
+        parse_sysctl_file(mode, parsed_sysctl_options, args.sysctl)
+        populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl')
+
+        # now everything is ready, perform the checks
+        perform_checks(config_checklist)
+
+        if mode == 'verbose':
+            # print the parsed options without the checks (for debugging)
+            print_unknown_options(config_checklist, parsed_sysctl_options)
+
+        # finally print the results
+        print_checklist(mode, config_checklist, True)
+        sys.exit(0)

    if args.print:
        assert(args.config is None and args.cmdline is None and args.sysctl is None), 'unexpected args'

--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -15,6 +15,8 @@ from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, A


 def add_kconfig_checks(l, arch):
+    assert(arch), 'empty arch'
+
    # Calling the KconfigCheck class constructor:
    #     KconfigCheck(reason, decision, name, expected)
    #
@@ -379,6 +381,8 @@ def add_kconfig_checks(l, arch):


 def add_cmdline_checks(l, arch):
+    assert(arch), 'empty arch'
+
    # Calling the CmdlineCheck class constructor:
    #     CmdlineCheck(reason, decision, name, expected)
    #
@@ -574,7 +578,6 @@ def normalize_cmdline_options(option, value):
    return value


-def add_sysctl_checks(l, arch):
 # TODO: draft of security hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
 #    kernel.yama.ptrace_scope=3
@@ -598,7 +601,10 @@ def add_sysctl_checks(l, arch):
 #    kernel.oops_limit (think about a proper value)
 #    kernel.warn_limit (think about a proper value)
 #    net.ipv4.tcp_syncookies=1 (?)
-#
+
+def add_sysctl_checks(l, arch):
+# This function may be called with arch=None
+
 # Calling the SysctlCheck class constructor:
 #   SysctlCheck(reason, decision, name, expected)