Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

parsing CONFIG_LSM option implementation #167

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

parsing CONFIG_LSM option implementation #167

wants to merge 6 commits into from
+37 −2

Conversation

d1sgr4c3
Copy link
Contributor

@d1sgr4c3 d1sgr4c3 commented Nov 22, 2024
edited
Loading

hello, @a13xp0p0v
this PR refers to #151

i have a few theses

checks design

may be we shoould use this design

lsm_modules = ['module1', 'module2' ... 'moduleN']
for module in lsm_modules:
    l += [KconfigCheck('self_protection', 'kspp', 'LSM', module)]

instead of

l += [KconfigCheck('self_protection', 'kspp', 'LSM', 'landlock')]
l += [KconfigCheck('self_protection', 'kspp', 'LSM', 'lockdown')]
l += [KconfigCheck('self_protection', 'kspp', 'LSM', 'yama')]

but if we iterate this, we cant past author (kspp, a13xp0p0v, or anyone else) easily. so, its not a suggestion, just a little question

modules

may be you meant some modules which i not commited?

grenerate option

how to be with -g X86_64 ?

@d1sgr4c3 d1sgr4c3 force-pushed the lsm_list branch 3 times, most recently from 9777464 to 407628c Compare November 24, 2024 10:54
a13xp0p0v
a13xp0p0v requested changes Dec 4, 2024
View reviewed changes
Copy link
Owner

@a13xp0p0v a13xp0p0v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @d1sgr4c3,
Thanks for your work!
Please see my review.

kernel_hardening_checker/checks.py Outdated Show resolved Hide resolved
kernel_hardening_checker/checks.py Outdated Show resolved Hide resolved
kernel_hardening_checker/checks.py Outdated Show resolved Hide resolved
kernel_hardening_checker/engine.py Outdated Show resolved Hide resolved
kernel_hardening_checker/engine.py Outdated Show resolved Hide resolved
kernel_hardening_checker/test_engine.py Outdated Show resolved Hide resolved
kernel_hardening_checker/test_engine.py Outdated Show resolved Hide resolved
@d1sgr4c3 d1sgr4c3 force-pushed the lsm_list branch 3 times, most recently from 53e873c to 623bd4b Compare December 8, 2024 01:31
@d1sgr4c3
Copy link
Contributor Author

d1sgr4c3 commented Dec 8, 2024

@a13xp0p0v, done with advices

@d1sgr4c3 d1sgr4c3 requested a review from a13xp0p0v December 8, 2024 21:32
a13xp0p0v
a13xp0p0v requested changes Dec 9, 2024
View reviewed changes
Copy link
Owner

@a13xp0p0v a13xp0p0v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @d1sgr4c3.
Thanks for the fixes.
But there are a lot of things to improve still.
Please see my review.

kernel_hardening_checker/engine.py Outdated Show resolved Hide resolved
kernel_hardening_checker/checks.py Outdated Show resolved Hide resolved
kernel_hardening_checker/engine.py Outdated Show resolved Hide resolved
kernel_hardening_checker/engine.py Show resolved Hide resolved
kernel_hardening_checker/engine.py Outdated Show resolved Hide resolved
kernel_hardening_checker/test_engine.py Outdated Show resolved Hide resolved
kernel_hardening_checker/checks.py Outdated Show resolved Hide resolved
@d1sgr4c3 d1sgr4c3 requested a review from a13xp0p0v December 22, 2024 04:16
@d1sgr4c3
Copy link
Contributor Author

d1sgr4c3 commented Dec 22, 2024
edited
Loading

hello, @a13xp0p0v
i've done requested changes exept two things:

  • i think that typo fix in test_engine.py dont needed because i wrote it to simulate lsm list like in kconfig
  • there is much if's in engine, so i need your advice to make it more beautiful

in an any case, i re-wrote code, excluded bugs and made all like you wrote in review + it works

@d1sgr4c3 d1sgr4c3 force-pushed the lsm_list branch 2 times, most recently from 210b5b8 to 5e03408 Compare December 27, 2024 03:03
@d1sgr4c3
Copy link
Contributor Author

hello, @a13xp0p0v
please have a look at checks we wrote
here is a hitch: CONFIG_LSM only provides order of modules, but, in fact, even if LSM contain some module, it can be even not compiled, so, wont work at all

@d1sgr4c3 d1sgr4c3 requested a review from a13xp0p0v December 28, 2024 03:42
@a13xp0p0v
Improve the verdicts in the '*value*' check
b1deb5d
@a13xp0p0v
Drop an unneeded list(), since split() returns a list anyway
660daf6
@a13xp0p0v
Adapt OR and AND checks to the new '*value*' check
d11e2ca 
That is needed to fix these assertions:
```
  File "/home/a13x/land/develop/Linux_Kernel/kernel-hardening-checker/kernel_hardening_checker/engine.py", line 302, in check
    assert(opt.result.startswith('OK: is not off')), \
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError: unexpected OK description "OK: in "lockdown,yama,integrity,apparmor,bpf,landlock""
```
and
```
  File "/home/a13x/land/develop/Linux_Kernel/kernel-hardening-checker/kernel_hardening_checker/engine.py", line 340, in check
    assert(opt.result == 'FAIL: is off, not found'), \
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError: unexpected FAIL description "FAIL: not in "lockdown,yama,integrity,apparmor,bpf,landlock""
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a13xp0p0v a13xp0p0v Awaiting requested review from a13xp0p0v

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@d1sgr4c3 @a13xp0p0v