Commits · f630654cd1a6e29c723f91cf7dbbb6707cf47b75 · fact-depend / kernel-hardening-checker

20 Aug, 2022 4 commits
- Require GCC for the GCC plugins · f630654c
  Alexander Popov authored Aug 20, 2022
  
  f630654c Browse Files
- Introduce cc_is_gcc and cc_is_clang · a99f0765
```
Use empty decision and reason for such kind of checks
```
  Alexander Popov authored Aug 20, 2022
  a99f0765 Browse Files
- No, the 'page_alloc.shuffle' should be set anyway · a637a660
  Alexander Popov authored Aug 20, 2022
  
  a637a660 Browse Files
- Drop the comment about slub_debug=FZ · 1a5aaa7a
```
These are very slow debugging features
```
  Alexander Popov authored Aug 20, 2022
  1a5aaa7a Browse Files
17 Aug, 2022 3 commits
- Add the debugfs check · 34469ca1
```
Don't normalize this option value since the Linux kernel
doesn't use kstrtobool() for it.
```
  Alexander Popov authored Aug 17, 2022
  34469ca1 Browse Files
- Improve the comments · e94d14b3
  Alexander Popov authored Aug 17, 2022
  
  e94d14b3 Browse Files
- Add the 'page_alloc.shuffle' check · 37429744
  Alexander Popov authored Aug 17, 2022
  
  37429744 Browse Files
14 Aug, 2022 3 commits

Add more values for the normalization · e9fa4333
Alexander Popov authored Aug 15, 2022

e9fa4333 Browse Files
Implement the normalization of cmdline options · e2d73214
Alexander Popov authored Aug 15, 2022

e2d73214 Browse Files

Describe the meaning of the checks · 6a467438

Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
when the tool doesn't check the cmdline.

A common pattern for checking the 'param_x' cmdline parameter
that __overrides__ the 'PARAM_X_DEFAULT' kconfig option:
  l += [OR(CmdlineCheck(reason, decision, 'param_x', '1'),
           AND(KconfigCheck(reason, decision, 'PARAM_X_DEFAULT_ON', 'y'),
               CmdlineCheck(reason, decision, 'param_x, 'is not set')))]

Here we don't check the kconfig options or minimal kernel version
required for the cmdline parameters. That would make the checks
very complex and not give a 100% guarantee anyway.

authored Aug 14, 2022

6a467438 Browse Files

13 Aug, 2022 4 commits
- Check the 'rodata' cmdline parameter on the arches except ARM64 · 33120e46
  Alexander Popov authored Aug 14, 2022
  
  33120e46 Browse Files
- Check hardened_usercopy in the cmdline · 8c0b6920
  Alexander Popov authored Aug 13, 2022
  
  8c0b6920 Browse Files
- Add the comment about vm.mmap_min_addr sysctl (for future reference) · 1556dfd2
  Alexander Popov authored Aug 13, 2022
  
  1556dfd2 Browse Files
- SECURITY_DMESG_RESTRICT is more about cutting attack surface · 2b7a15dd
  Alexander Popov authored Aug 13, 2022
  
  2b7a15dd Browse Files
21 Jul, 2022 4 commits

Improve the slab_common.usercopy_fallback check · b51a6979
```
Having HARDENED_USERCOPY_FALLBACK disabled is not enough.
```
Alexander Popov authored Jul 21, 2022
b51a6979 Browse Files
Add the slab_common.usercopy_fallback check · cd559d31
Alexander Popov authored Jul 21, 2022

cd559d31 Browse Files

Improve the STACKPROTECTOR check · 3bdbc3ae

The Linux kernel 4.16-4.17 has a weird STACKPROTECTOR configuration:
CC_STACKPROTECTOR_NONE -- stackprotector is disabled;
CC_STACKPROTECTOR_REGULAR -- similar to current STACKPROTECTOR;
CC_STACKPROTECTOR_STRONG -- similar to current STACKPROTECTOR_STRONG;
CC_STACKPROTECTOR_AUTO -- the best stack-protector that compiler provides.
These options are mutually exclusive.

Let's improve the STACKPROTECTOR check:
- Add CC_STACKPROTECTOR_REGULAR as a valid alternative name of this option;
- Add CC_STACKPROTECTOR_STRONG to avoid false negative result;
- Add CC_STACKPROTECTOR_AUTO hoping that it enables at least STACKPROTECTOR.

The STACKPROTECTOR_STRONG check still requires explicit configuration, not
CC_STACKPROTECTOR_AUTO.

Thanks to @izh1979 for the idea

authored Jul 21, 2022

3bdbc3ae Browse Files

Don't mention LKDTM · 5d007e67

I can't recommend disabling it, because LKDTM is used to test the kernel
hardening features.

But I cant recommend enabling it, because LKDTM contains intentional
memory corruption errors. It's not for production systems.

So let's simply drop the comment about LKDTM.

authored Jul 21, 2022

5d007e67 Browse Files

17 Jul, 2022 4 commits
- Add info about the LKDDb project by @cateee · 0d5c56f2
```
#68
```
  Alexander Popov authored Jul 17, 2022
  0d5c56f2 Browse Files
- Check ARM64_BTI for userspace hardening · a91195e7
  Alexander Popov authored Jul 17, 2022
  
  a91195e7 Browse Files
- Check ARM64_PTR_AUTH for userspace hardening · 594fcd1c
  Alexander Popov authored Jul 17, 2022
  
  594fcd1c Browse Files
- Add rodata check for ARM64 · 9cdd06a1
  Alexander Popov authored Jul 17, 2022
  
  9cdd06a1 Browse Files
11 Jul, 2022 4 commits
- Add iommu.passthrough check · b6930eae
  Alexander Popov authored Jul 11, 2022
  
  b6930eae Browse Files
- Add IOMMU_DEFAULT_PASSTHROUGH check · 1300fb0e
  Alexander Popov authored Jul 11, 2022
  
  1300fb0e Browse Files
- Add iommu.strict check · f4889500
  Alexander Popov authored Jul 11, 2022
  
  f4889500 Browse Files
- Add vsyscall check · 4ed45348
  Alexander Popov authored Jul 11, 2022
  
  4ed45348 Browse Files
09 Jul, 2022 2 commits
- Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results · 3ee12f0b
  Alexander Popov authored Jul 10, 2022
  
  3ee12f0b Browse Files
- Add slub_debug check · 3c1e4cca
  Alexander Popov authored Jul 10, 2022
  
  3c1e4cca Browse Files
08 Jul, 2022 1 commit
- Add the release badge · a316a3e8
  Alexander Popov authored Jul 09, 2022
  
  a316a3e8 Browse Files
20 Jun, 2022 4 commits
- Add the init_on_free check · 6c2257f4
  Alexander Popov authored Jun 20, 2022
  
  6c2257f4 Browse Files
- Add the page_poison check required for PAGE_POISONING_ZERO · ff64053d
  Alexander Popov authored Jun 20, 2022
  
  ff64053d Browse Files
- Rewrite the slab_nomerge check · 0b522bd1
```
Use the presence check for slab_nomerge.
Also check that slab_merge is not set.
```
  Alexander Popov authored Jun 20, 2022
  0b522bd1 Browse Files
- Rewrite the randomize_kstack_offset check · 745742b3
```
Reusing "is not set" for CmdlineCheck is a nice hack.
```
  Alexander Popov authored Jun 20, 2022
  745742b3 Browse Files
19 Jun, 2022 3 commits
- Check that a kconfig option value is sane · ba678bf3
  Alexander Popov authored Jun 19, 2022
  
  ba678bf3 Browse Files
- Add a tricky check for init_on_alloc and INIT_ON_ALLOC_DEFAULT_ON · 05113077
```
Nice!
```
  Alexander Popov authored Jun 19, 2022
  05113077 Browse Files
- Move the add_cmdline_checks() call earlier · a23725c2
```
populate_with_data() must be called after all checks have been added.
```
  Alexander Popov authored Jun 19, 2022
  a23725c2 Browse Files
08 Jun, 2022 4 commits
- Don't check __name__ in __init__.py (it can't run separately anyway) · 98fb9d97
  Alexander Popov authored Jun 09, 2022
  
  98fb9d97 Browse Files
- Fix the pylint warning about isinstance · 58cc1a05
  Alexander Popov authored Jun 09, 2022
  
  58cc1a05 Browse Files
- Drop unneeded properties of ComplexOptCheck · 92a65445
```
Thanks to the coverage info
```
  Alexander Popov authored Jun 09, 2022
  92a65445 Browse Files
- Turn some error conditions into assertions (part 4) · 55164d26
  Alexander Popov authored Jun 09, 2022
  
  55164d26 Browse Files