From 7dae59471876e91b002e4d9b5b851b4df6a2ddb5 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 17 May 2024 20:46:08 +0200 Subject: [PATCH] Tweak the checks for android > Android configs require various things that are currently disallowed in this tool. We can use CONFIG_ANDROID to detect Android configs and generate reports with fewer positives that cannot/should not be changed. Based on https://github.com/a13xp0p0v/kernel-hardening-checker/pull/91 --- kernel_hardening_checker/checks.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index f2e4c34f..f24d86db 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -34,6 +34,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') # radical, but may be useful in some cases devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN + is_android = KconfigCheck('-', '-', 'ANDROID', 'y') # 'self_protection', 'defconfig' l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')] @@ -305,7 +306,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_MSR', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_TIOCSTI', 'is not set')] - l += [modules_not_set] + l += [OR(modules_not_set, is_android)] # Android requires kernel modules: https://source.android.com/docs/core/architecture/kernel/loadable-kernel-modules l += [devmem_not_set] l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN @@ -378,7 +379,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] - l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] + l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set'), + is_android)] # See https://android.googlesource.com/kernel/configs/#allowed l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] @@ -392,7 +394,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN - l += [bpf_syscall_not_set] # refers to LOCKDOWN + l += [OR(bpf_syscall_not_set, is_android)] # refers to LOCKDOWN, Android requires BPF: https://source.android.com/docs/core/architecture/kernel/bpf # 'cut_attack_surface', 'a13xp0p0v' l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) @@ -408,6 +410,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'MODULE_FORCE_LOAD', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'BLK_DEV_WRITE_MOUNTED', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'a13xp0p0v', 'TRIM_UNUSED_KSYMS', 'y'), + is_android, # Android frequently uses out-of-tree modules: https://source.android.com/docs/core/architecture/kernel/vendor-module-guidelines modules_not_set)]