From e66ef16488f2acdcaf01870d7f77abf6ba4dddcb Mon Sep 17 00:00:00 2001 From: valera disgrace Date: Mon, 28 Oct 2024 09:24:28 +1000 Subject: [PATCH 1/4] implementation of arch_mmap_rnd checks --- kernel_hardening_checker/__init__.py | 36 ++++++++++++++++++++-------- kernel_hardening_checker/checks.py | 3 +++ 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py index 3e0535a6..04964a8a 100755 --- a/kernel_hardening_checker/__init__.py +++ b/kernel_hardening_checker/__init__.py @@ -247,6 +247,23 @@ def parse_sysctl_file(mode: StrOrNone, parsed_options: Dict[str, str], fname: st print(f'[!] WARNING: sysctl options available for root are not found in {fname}, please use the output of `sudo sysctl -a`') +def refine_check(mode: StrOrNone, checklist: List[ChecklistObjType], parsed_options: Dict[str, str], target: str, source: str) -> None: + source_option = parsed_options.get(source, None) + if source_option: + override_expected_value(checklist, target, source_option) + else: + # remove the target check to avoid false results + if mode != 'json': + print(f'[-] Can\'t check {target} without {source}') + checklist[:] = [o for o in checklist if o.name != target] + + +def clean_unoverrided(mode: StrOrNone, checklist: List[ChecklistObjType], target: str, source: str) -> None: + if mode != 'json': + print(f'[-] Can\'t check {target} without {source}: no config') + checklist[:] = [o for o in checklist if o.name != target] + + def perform_checking(mode: StrOrNone, version: TupleOrNone, kconfig: StrOrNone, cmdline: StrOrNone, sysctl: StrOrNone) -> None: config_checklist = [] # type: List[ChecklistObjType] @@ -301,16 +318,8 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, parsed_kconfig_options = {} # type: Dict[str, str] parse_kconfig_file(mode, parsed_kconfig_options, kconfig) populate_with_data(config_checklist, parsed_kconfig_options, 'kconfig') - - # hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check - mmap_rnd_bits_max = parsed_kconfig_options.get('CONFIG_ARCH_MMAP_RND_BITS_MAX', None) - if mmap_rnd_bits_max: - override_expected_value(config_checklist, 'CONFIG_ARCH_MMAP_RND_BITS', mmap_rnd_bits_max) - else: - # remove the CONFIG_ARCH_MMAP_RND_BITS check to avoid false results - if mode != 'json': - print('[-] Can\'t check CONFIG_ARCH_MMAP_RND_BITS without CONFIG_ARCH_MMAP_RND_BITS_MAX') - config_checklist[:] = [o for o in config_checklist if o.name != 'CONFIG_ARCH_MMAP_RND_BITS'] + refine_check(mode, config_checklist, parsed_kconfig_options, 'CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') + refine_check(mode, config_checklist, parsed_kconfig_options, 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') if cmdline: # populate the checklist with the parsed cmdline data @@ -323,6 +332,13 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, parsed_sysctl_options = {} # type: Dict[str, str] parse_sysctl_file(mode, parsed_sysctl_options, sysctl) populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl') + if kconfig: + refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') + refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_compat_bits', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') + else: + clean_unoverrided(mode, config_checklist, 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') + clean_unoverrided(mode, config_checklist, 'vm.mmap_rnd_compat_bits', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') + # now everything is ready, perform the checks perform_checks(config_checklist) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 246190ad..68cfb80c 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -472,6 +472,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')] l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX + l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_COMPAT_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_COMPAT_BITS_MAX if arch == 'X86_64': l += [KconfigCheck('harden_userspace', 'kspp', 'X86_USER_SHADOW_STACK', 'y')] @@ -788,3 +789,5 @@ def add_sysctl_checks(l: List[ChecklistObjType], arch: StrOrNone) -> None: l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')] l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')] l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.yama.ptrace_scope', '3')] + l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_bits', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX + l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_compat_bits', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_COMPAT_BITS_MAX From b3b88dfce83079479f108a7ef095f3210cd516c2 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 9 Nov 2024 19:40:16 +0300 Subject: [PATCH 2/4] Clever trick to drop some code --- kernel_hardening_checker/__init__.py | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py index 04964a8a..eb8e1467 100755 --- a/kernel_hardening_checker/__init__.py +++ b/kernel_hardening_checker/__init__.py @@ -258,12 +258,6 @@ def refine_check(mode: StrOrNone, checklist: List[ChecklistObjType], parsed_opti checklist[:] = [o for o in checklist if o.name != target] -def clean_unoverrided(mode: StrOrNone, checklist: List[ChecklistObjType], target: str, source: str) -> None: - if mode != 'json': - print(f'[-] Can\'t check {target} without {source}: no config') - checklist[:] = [o for o in checklist if o.name != target] - - def perform_checking(mode: StrOrNone, version: TupleOrNone, kconfig: StrOrNone, cmdline: StrOrNone, sysctl: StrOrNone) -> None: config_checklist = [] # type: List[ChecklistObjType] @@ -313,9 +307,9 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, # populate the checklist with the kernel version data populate_with_data(config_checklist, version, 'version') + parsed_kconfig_options = {} # type: Dict[str, str] if kconfig: # populate the checklist with the parsed Kconfig data - parsed_kconfig_options = {} # type: Dict[str, str] parse_kconfig_file(mode, parsed_kconfig_options, kconfig) populate_with_data(config_checklist, parsed_kconfig_options, 'kconfig') refine_check(mode, config_checklist, parsed_kconfig_options, 'CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') @@ -332,13 +326,8 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, parsed_sysctl_options = {} # type: Dict[str, str] parse_sysctl_file(mode, parsed_sysctl_options, sysctl) populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl') - if kconfig: - refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') - refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_compat_bits', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') - else: - clean_unoverrided(mode, config_checklist, 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') - clean_unoverrided(mode, config_checklist, 'vm.mmap_rnd_compat_bits', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') - + refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') + refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_compat_bits', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') # now everything is ready, perform the checks perform_checks(config_checklist) From 7c7a52565255ec10973ce0b697129d0cfb178112 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 9 Nov 2024 19:45:05 +0300 Subject: [PATCH 3/4] Style fixes --- kernel_hardening_checker/__init__.py | 21 +++++++++++++-------- kernel_hardening_checker/checks.py | 12 ++++++++---- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py index eb8e1467..6083e225 100755 --- a/kernel_hardening_checker/__init__.py +++ b/kernel_hardening_checker/__init__.py @@ -247,10 +247,11 @@ def parse_sysctl_file(mode: StrOrNone, parsed_options: Dict[str, str], fname: st print(f'[!] WARNING: sysctl options available for root are not found in {fname}, please use the output of `sudo sysctl -a`') -def refine_check(mode: StrOrNone, checklist: List[ChecklistObjType], parsed_options: Dict[str, str], target: str, source: str) -> None: - source_option = parsed_options.get(source, None) - if source_option: - override_expected_value(checklist, target, source_option) +def refine_check(mode: StrOrNone, checklist: List[ChecklistObjType], parsed_options: Dict[str, str], + target: str, source: str) -> None: + source_val = parsed_options.get(source, None) + if source_val: + override_expected_value(checklist, target, source_val) else: # remove the target check to avoid false results if mode != 'json': @@ -312,8 +313,10 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, # populate the checklist with the parsed Kconfig data parse_kconfig_file(mode, parsed_kconfig_options, kconfig) populate_with_data(config_checklist, parsed_kconfig_options, 'kconfig') - refine_check(mode, config_checklist, parsed_kconfig_options, 'CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') - refine_check(mode, config_checklist, parsed_kconfig_options, 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') + refine_check(mode, config_checklist, parsed_kconfig_options, + 'CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') + refine_check(mode, config_checklist, parsed_kconfig_options, + 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') if cmdline: # populate the checklist with the parsed cmdline data @@ -326,8 +329,10 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, parsed_sysctl_options = {} # type: Dict[str, str] parse_sysctl_file(mode, parsed_sysctl_options, sysctl) populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl') - refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') - refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_compat_bits', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') + refine_check(mode, config_checklist, parsed_kconfig_options, + 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') + refine_check(mode, config_checklist, parsed_kconfig_options, + 'vm.mmap_rnd_compat_bits', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') # now everything is ready, perform the checks perform_checks(config_checklist) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 68cfb80c..4a4f9810 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -471,8 +471,10 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: if arch in ('ARM', 'X86_32'): l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] l += [KconfigCheck('harden_userspace', 'clipos', 'COREDUMP', 'is not set')] - l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX - l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_COMPAT_BITS', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_COMPAT_BITS_MAX + l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_BITS', 'MAX')] + # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX + l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'ARCH_MMAP_RND_COMPAT_BITS', 'MAX')] + # 'MAX' value is refined using ARCH_MMAP_RND_COMPAT_BITS_MAX if arch == 'X86_64': l += [KconfigCheck('harden_userspace', 'kspp', 'X86_USER_SHADOW_STACK', 'y')] @@ -789,5 +791,7 @@ def add_sysctl_checks(l: List[ChecklistObjType], arch: StrOrNone) -> None: l += [SysctlCheck('harden_userspace', 'kspp', 'fs.suid_dumpable', '0')] l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.randomize_va_space', '2')] l += [SysctlCheck('harden_userspace', 'kspp', 'kernel.yama.ptrace_scope', '3')] - l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_bits', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX - l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_compat_bits', 'MAX')] # 'MAX' value is refined using ARCH_MMAP_RND_COMPAT_BITS_MAX + l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_bits', 'MAX')] + # 'MAX' value is refined using ARCH_MMAP_RND_BITS_MAX + l += [SysctlCheck('harden_userspace', 'a13xp0p0v', 'vm.mmap_rnd_compat_bits', 'MAX')] + # 'MAX' value is refined using ARCH_MMAP_RND_COMPAT_BITS_MAX From d7fa8eb64a0dab7ae2267ab2bd94cb63538e84a8 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 9 Nov 2024 20:03:57 +0300 Subject: [PATCH 4/4] Skip the `CONFIG_ARCH_MMAP_RND_COMPAT_BITS` option in the `--generate` mode --- kernel_hardening_checker/__init__.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py index 6083e225..ac4da671 100755 --- a/kernel_hardening_checker/__init__.py +++ b/kernel_hardening_checker/__init__.py @@ -313,10 +313,12 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, # populate the checklist with the parsed Kconfig data parse_kconfig_file(mode, parsed_kconfig_options, kconfig) populate_with_data(config_checklist, parsed_kconfig_options, 'kconfig') + # refine the values of some checks refine_check(mode, config_checklist, parsed_kconfig_options, 'CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') refine_check(mode, config_checklist, parsed_kconfig_options, 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX') + # and don't forget to skip these Kconfig checks in --generate if cmdline: # populate the checklist with the parsed cmdline data @@ -329,6 +331,7 @@ def perform_checking(mode: StrOrNone, version: TupleOrNone, parsed_sysctl_options = {} # type: Dict[str, str] parse_sysctl_file(mode, parsed_sysctl_options, sysctl) populate_with_data(config_checklist, parsed_sysctl_options, 'sysctl') + # refine the values of some checks refine_check(mode, config_checklist, parsed_kconfig_options, 'vm.mmap_rnd_bits', 'CONFIG_ARCH_MMAP_RND_BITS_MAX') refine_check(mode, config_checklist, parsed_kconfig_options, @@ -451,8 +454,8 @@ def main() -> None: add_kconfig_checks(config_checklist, arch) print(f'CONFIG_{arch}=y') # the Kconfig fragment should describe the microarchitecture for opt in config_checklist: - if opt.name == 'CONFIG_ARCH_MMAP_RND_BITS': - continue # don't add CONFIG_ARCH_MMAP_RND_BITS because its value needs refinement + if opt.name in ('CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS'): + continue # don't add Kconfig options with a value that needs refinement if opt.expected == 'is not off': continue # don't add Kconfig options without explicitly recommended values if opt.expected == 'is not set':