From 585aee3414f4de117db9baa1303f4715ab666aa9 Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Mon, 15 Apr 2024 14:49:22 +0200
Subject: [PATCH] Add some lightweight typing

---
 kernel_hardening_checker/__init__.py | 10 +++++-----
 kernel_hardening_checker/checks.py   |  8 ++++----
 kernel_hardening_checker/engine.py   | 20 ++++++++++----------
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py
index 858341a0..381f5cbf 100644
--- a/kernel_hardening_checker/__init__.py
+++ b/kernel_hardening_checker/__init__.py
@@ -29,7 +29,7 @@ def _open(file: str, *args, **kwargs):
     return open_method(file, *args, **kwargs)
 
 
-def detect_arch(fname, archs):
+def detect_arch(fname: str, archs: list[str]) -> tuple:
     with _open(fname, 'rt', encoding='utf-8') as f:
         arch_pattern = re.compile(r"CONFIG_[a-zA-Z0-9_]+=y$")
         arch = None
@@ -46,7 +46,7 @@ def detect_arch(fname, archs):
         return arch, 'OK'
 
 
-def detect_kernel_version(fname):
+def detect_kernel_version(fname: str) -> tuple:
     with _open(fname, 'rt', encoding='utf-8') as f:
         ver_pattern = re.compile(r"^# Linux/.+ Kernel Configuration$|^Linux version .+")
         for line in f.readlines():
@@ -63,7 +63,7 @@ def detect_kernel_version(fname):
         return None, 'no kernel version detected'
 
 
-def detect_compiler(fname):
+def detect_compiler(fname: str):
     gcc_version = None
     clang_version = None
     with _open(fname, 'rt', encoding='utf-8') as f:
@@ -104,7 +104,7 @@ def print_unknown_options(checklist, parsed_options, opt_type):
             print(f'[?] No check for {opt_type} option {option} ({value})')
 
 
-def print_checklist(mode, checklist, with_results):
+def print_checklist(mode: str, checklist, with_results: bool):
     if mode == 'json':
         output = []
         for opt in checklist:
@@ -151,7 +151,7 @@ def print_checklist(mode, checklist, with_results):
         print(f'[+] Config check is finished: \'OK\' - {ok_count}{ok_suppressed} / \'FAIL\' - {fail_count}{fail_suppressed}')
 
 
-def parse_kconfig_file(_mode, parsed_options, fname):
+def parse_kconfig_file(_mode, parsed_options, fname: str):
     with _open(fname, 'rt', encoding='utf-8') as f:
         opt_is_on = re.compile(r"CONFIG_[a-zA-Z0-9_]+=.+$")
         opt_is_off = re.compile(r"# CONFIG_[a-zA-Z0-9_]+ is not set$")
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 5ec19cc5..2e903157 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -14,7 +14,7 @@
 from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
 
 
-def add_kconfig_checks(l, arch):
+def add_kconfig_checks(l, arch: str):
     assert(arch), 'empty arch'
 
     # Calling the KconfigCheck class constructor:
@@ -411,7 +411,7 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')]
 
 
-def add_cmdline_checks(l, arch):
+def add_cmdline_checks(l, arch: str):
     assert(arch), 'empty arch'
 
     # Calling the CmdlineCheck class constructor:
@@ -613,7 +613,7 @@ def add_cmdline_checks(l, arch):
 ]
 
 
-def normalize_cmdline_options(option, value):
+def normalize_cmdline_options(option: str, value: str) -> str:
     # Don't normalize the cmdline option values if
     # the Linux kernel doesn't use kstrtobool() for them
     if option in no_kstrtobool_options:
@@ -640,7 +640,7 @@ def normalize_cmdline_options(option, value):
 #    kernel.warn_limit (think about a proper value)
 #    net.ipv4.tcp_syncookies=1 (?)
 
-def add_sysctl_checks(l, _arch):
+def add_sysctl_checks(l, _arch: str):
 # This function may be called with arch=None
 
 # Calling the SysctlCheck class constructor:
diff --git a/kernel_hardening_checker/engine.py b/kernel_hardening_checker/engine.py
index 51907085..79e6ca03 100644
--- a/kernel_hardening_checker/engine.py
+++ b/kernel_hardening_checker/engine.py
@@ -27,7 +27,7 @@ def colorize_result(input_text):
 
 
 class OptCheck:
-    def __init__(self, reason, decision, name, expected):
+    def __init__(self, reason: str, decision: str, name: str, expected: str):
         assert(name and name == name.strip() and len(name.split()) == 1), \
                f'invalid name "{name}" for {self.__class__.__name__}'
         self.name = name
@@ -98,12 +98,12 @@ def check(self):
         else:
             self.result = f'FAIL: "{self.state}"'
 
-    def table_print(self, _mode, with_results):
+    def table_print(self, _mode, with_results: bool):
         print(f'{self.name:<40}|{self.type:^7}|{self.expected:^12}|{self.decision:^10}|{self.reason:^18}', end='')
         if with_results:
             print(f'| {colorize_result(self.result)}', end='')
 
-    def json_dump(self, with_results):
+    def json_dump(self, with_results: bool) ->dict:
         dump = {
             "option_name": self.name,
             "type": self.type,
@@ -111,7 +111,7 @@ def json_dump(self, with_results):
             "decision": self.decision,
             "reason": self.reason,
         }
-        if with_results:
+        if with_results and self.result:
             dump["check_result"] = self.result
             dump["check_result_bool"] = self.result.startswith('OK')
         return dump
@@ -140,7 +140,7 @@ def type(self):
 
 
 class VersionCheck:
-    def __init__(self, ver_expected):
+    def __init__(self, ver_expected: tuple):
         assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 3), \
                f'invalid expected version "{ver_expected}" for VersionCheck (1)'
         assert(all(map(lambda x: isinstance(x, int), ver_expected))), \
@@ -153,7 +153,7 @@ def __init__(self, ver_expected):
     def type(self):
         return 'version'
 
-    def set_state(self, data):
+    def set_state(self, data: tuple):
         assert(data and isinstance(data, tuple) and len(data) >= 3), \
                f'invalid version "{data}" for VersionCheck'
         self.ver = data[:3]
@@ -178,7 +178,7 @@ def check(self):
             return
         self.result = f'FAIL: version < {self.ver_expected}'
 
-    def table_print(self, _mode, with_results):
+    def table_print(self, _mode, with_results: bool):
         ver_req = f'kernel version >= {self.ver_expected}'
         print(f'{ver_req:<91}', end='')
         if with_results:
@@ -208,7 +208,7 @@ def name(self):
     def expected(self):
         return self.opts[0].expected
 
-    def table_print(self, mode, with_results):
+    def table_print(self, mode: str, with_results: bool):
         if mode == 'verbose':
             class_name = f'<<< {self.__class__.__name__} >>>'
             print(f'    {class_name:87}', end='')
@@ -223,7 +223,7 @@ def table_print(self, mode, with_results):
             if with_results:
                 print(f'| {colorize_result(self.result)}', end='')
 
-    def json_dump(self, with_results):
+    def json_dump(self, with_results: bool) -> dict:
         dump = self.opts[0].json_dump(False)
         if with_results:
             # Add the 'check_result' and 'check_result_bool' keys to the dictionary
@@ -295,7 +295,7 @@ def check(self):
 SIMPLE_OPTION_TYPES = ('kconfig', 'cmdline', 'sysctl', 'version')
 
 
-def populate_simple_opt_with_data(opt, data, data_type):
+def populate_simple_opt_with_data(opt, data, data_type: str):
     assert(opt.type != 'complex'), \
            f'unexpected ComplexOptCheck "{opt.name}"'
     assert(opt.type in SIMPLE_OPTION_TYPES), \