parsing list-provided values implementation

a13xp0p0v · Dec 8, 2024 · 623bd4b · 623bd4b
1 parent 12eb32d
commit 623bd4b
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py
@@ -526,7 +526,7 @@ def main() -> None:
         add_kconfig_checks(config_checklist, arch)
         print(f'CONFIG_{arch}=y') # the Kconfig fragment should describe the microarchitecture
         for opt in config_checklist:
-            if opt.name in ('CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS'):
+            if opt.name in ('CONFIG_ARCH_MMAP_RND_BITS', 'CONFIG_ARCH_MMAP_RND_COMPAT_BITS', 'CONFIG_LSM'):
                 continue # don't add Kconfig options with a value that needs refinement
             if opt.expected == 'is not off':
                 continue # don't add Kconfig options without explicitly recommended values

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
@@ -153,6 +153,11 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
     l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
     l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_LOCKDOWN_LSM', 'y')]
+    l += [KconfigCheck('self_protection', 'kspp', 'LSM', '*lockdown*'),
+          OR(KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SELINUX', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_APPARMOR', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SMACK', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_TOMOYO', 'y'))]
     l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
     l += [KconfigCheck('self_protection', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
     l += [OR(KconfigCheck('self_protection', 'kspp', 'LIST_HARDENED', 'y'),
@@ -222,6 +227,16 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
              AND(ubsan_bounds_is_set,
                  VersionCheck((6, 9, 0))))] # UBSAN_SANITIZE_ALL was enabled by default in UBSAN in v6.9
+    l += [KconfigCheck('security_policy', 'kspp', 'LSM', '*yama*'),
+          OR(KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SELINUX', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_APPARMOR', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SMACK', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_TOMOYO', 'y'))]
+    l += [KconfigCheck('security_policy', 'kspp', 'LSM', '*landlock*'),
+          OR(KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SELINUX', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_APPARMOR', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_SMACK', 'y'),
+             KconfigCheck('security_policy', 'a13xp0p0v', 'SECURITY_TOMOYO', 'y'))]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
         stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')

diff --git a/kernel_hardening_checker/engine.py b/kernel_hardening_checker/engine.py
@@ -81,6 +81,17 @@ def set_state(self, data: StrOrNone) -> None:
         self.state = data
 
     def check(self) -> None:
+        # handle checks, provided with list()
+        if self.expected.startswith('*') and self.expected.endswith('*'):
+            if  self.state is not None:
+                option = self.expected.strip('*')
+                optlist  = list(self.state.strip('"').split(','))
+                if option in optlist:
+                    self.result = f'OK: "{self.state}"'
+                else:
+                    self.result = f'FAIL: "{self.state}"'
+                return
+
         # handle the 'is present' check
         if self.expected == 'is present':
             if self.state is None:

diff --git a/kernel_hardening_checker/test_engine.py b/kernel_hardening_checker/test_engine.py
@@ -130,6 +130,8 @@ def test_simple_kconfig(self) -> None:
         config_checklist += [KconfigCheck('reason_8', 'decision_8', 'NAME_8', 'is not off')]
         config_checklist += [KconfigCheck('reason_9', 'decision_9', 'NAME_9', 'is not off')]
         config_checklist += [KconfigCheck('reason_10', 'decision_10', 'NAME_10', 'is not off')]
+        config_checklist += [KconfigCheck('reason_11', 'decision_11', 'NAME_11', '*expected_11*')]
+        config_checklist += [KconfigCheck('reason_12', 'decision_12', 'NAME_11', '*expected_12*')]
 
         # 2. prepare the parsed kconfig options
         parsed_kconfig_options  = {}
@@ -139,6 +141,7 @@ def test_simple_kconfig(self) -> None:
         parsed_kconfig_options['CONFIG_NAME_7'] = 'really_not_off'
         parsed_kconfig_options['CONFIG_NAME_8'] = 'off'
         parsed_kconfig_options['CONFIG_NAME_9'] = '0'
+        parsed_kconfig_options['CONFIG_NAME_11'] = '"expected_11,something,UNexpected_12"'
 
         # 3. run the engine
         self.run_engine(config_checklist, parsed_kconfig_options, None, None, None)
@@ -157,7 +160,9 @@ def test_simple_kconfig(self) -> None:
                  {'option_name': 'CONFIG_NAME_7', 'type': 'kconfig', 'desired_val': 'is not off', 'decision': 'decision_7', 'reason': 'reason_7', 'check_result': 'OK: is not off, "really_not_off"', 'check_result_bool': True},
                  {'option_name': 'CONFIG_NAME_8', 'type': 'kconfig', 'desired_val': 'is not off', 'decision': 'decision_8', 'reason': 'reason_8', 'check_result': 'FAIL: is off', 'check_result_bool': False},
                  {'option_name': 'CONFIG_NAME_9', 'type': 'kconfig', 'desired_val': 'is not off', 'decision': 'decision_9', 'reason': 'reason_9', 'check_result': 'FAIL: is off, "0"', 'check_result_bool': False},
-                 {'option_name': 'CONFIG_NAME_10', 'type': 'kconfig', 'desired_val': 'is not off', 'decision': 'decision_10', 'reason': 'reason_10', 'check_result': 'FAIL: is off, not found', 'check_result_bool': False}]
+                 {'option_name': 'CONFIG_NAME_10', 'type': 'kconfig', 'desired_val': 'is not off', 'decision': 'decision_10', 'reason': 'reason_10', 'check_result': 'FAIL: is off, not found', 'check_result_bool': False},
+                 {"option_name": 'CONFIG_NAME_11', 'type': 'kconfig', 'desired_val': '*expected_11*', 'decision': 'decision_11', 'reason': 'reason_11', "check_result": "OK: \"\"expected_11,something,UNexpected_12\"\"", "check_result_bool": True},
+                 {"option_name": 'CONFIG_NAME_11', 'type': 'kconfig', 'desired_val': '*expected_12*', 'decision': 'decision_12', 'reason': 'reason_12', "check_result": "FAIL: \"\"expected_11,something,UNexpected_12\"\"", "check_result_bool": False}]
         )
 
     def test_simple_cmdline(self) -> None: