-
Notifications
You must be signed in to change notification settings - Fork 49
/
Copy pathcheck-kernel-config
executable file
·372 lines (353 loc) · 8.51 KB
/
check-kernel-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
#!/bin/bash
FILE=$1
[ -f "$FILE" ] || {
echo "Provide a config file as argument"
exit
}
write=false
if [ "$2" = "-w" ]; then
write=true
fi
CONFIGS_ON="
CONFIG_IKCONFIG
CONFIG_CPUSETS
CONFIG_AUTOFS4_FS
CONFIG_TMPFS_XATTR
CONFIG_TMPFS_POSIX_ACL
CONFIG_CGROUP_DEVICE
CONFIG_CGROUP_MEM_RES_CTLR
CONFIG_CGROUP_MEM_RES_CTLR_SWAP
CONFIG_CGROUP_MEM_RES_CTLR_KMEM
CONFIG_RTC_DRV_CMOS
CONFIG_BLK_CGROUP
CONFIG_CGROUP_PERF
CONFIG_IKCONFIG_PROC
CONFIG_SYSVIPC
CONFIG_CGROUPS
CONFIG_CGROUP_FREEZER
CONFIG_NAMESPACES
CONFIG_UTS_NS
CONFIG_IPC_NS
CONFIG_USER_NS
CONFIG_PID_NS
CONFIG_NET_NS
CONFIG_AUDIT
CONFIG_AUDITSYSCALL
CONFIG_AUDIT_TREE
CONFIG_AUDIT_WATCH
CONFIG_CC_STACKPROTECTOR
CONFIG_DEBUG_RODATA
CONFIG_DEVTMPFS
CONFIG_DEVTMPFS_MOUNT
CONFIG_DEVPTS_MULTIPLE_INSTANCES
CONFIG_ECRYPT_FS
CONFIG_ECRYPT_FS_MESSAGING
CONFIG_ENCRYPTED_KEYS
CONFIG_EXT4_FS_POSIX_ACL
CONFIG_EXT4_FS_SECURITY
CONFIG_FSNOTIFY
CONFIG_DNOTIFY
CONFIG_INOTIFY_USER
CONFIG_FANOTIFY
CONFIG_FANOTIFY_ACCESS_PERMISSIONS
CONFIG_KEYS
CONFIG_SWAP
CONFIG_VT
CONFIG_VT_CONSOLE
CONFIG_SECCOMP
CONFIG_SECURITY
CONFIG_SECURITYFS
CONFIG_SECURITY_NETWORK
CONFIG_NETLABEL
CONFIG_SECURITY_PATH
CONFIG_SECURITY_SELINUX
CONFIG_SECURITY_SELINUX_BOOTPARAM
CONFIG_SECURITY_SELINUX_DISABLE
CONFIG_SECURITY_SELINUX_DEVELOP
CONFIG_SECURITY_SELINUX_AVC_STATS
CONFIG_SECURITY_SMACK
CONFIG_SECURITY_TOMOYO
CONFIG_DEFAULT_SECURITY_APPARMOR
CONFIG_SECURITY_APPARMOR
CONFIG_SECURITY_APPARMOR_HASH
CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT
CONFIG_SECURITY_YAMA
CONFIG_SECURITY_YAMA_STACKED
CONFIG_STRICT_DEVMEM
CONFIG_SYN_COOKIES
CONFIG_BT
CONFIG_BT_RFCOMM
CONFIG_BT_RFCOMM_TTY
CONFIG_BT_BNEP
CONFIG_BT_BNEP_MC_FILTER
CONFIG_BT_BNEP_PROTO_FILTER
CONFIG_BT_HIDP
CONFIG_XFRM_USER
CONFIG_NET_KEY
CONFIG_INET
CONFIG_IP_ADVANCED_ROUTER
CONFIG_IP_MULTIPLE_TABLES
CONFIG_INET_AH
CONFIG_INET_ESP
CONFIG_INET_IPCOMP
CONFIG_INET_XFRM_MODE_TRANSPORT
CONFIG_INET_XFRM_MODE_TUNNEL
CONFIG_INET_XFRM_MODE_BEET
CONFIG_IPV6
CONFIG_INET6_AH
CONFIG_INET6_ESP
CONFIG_INET6_IPCOMP
CONFIG_INET6_XFRM_MODE_TRANSPORT
CONFIG_INET6_XFRM_MODE_TUNNEL
CONFIG_INET6_XFRM_MODE_BEET
CONFIG_IPV6_MULTIPLE_TABLES
CONFIG_NETFILTER
CONFIG_NETFILTER_ADVANCED
CONFIG_NETFILTER_NETLINK
CONFIG_NETFILTER_NETLINK_ACCT
CONFIG_NETFILTER_NETLINK_LOG
CONFIG_NETFILTER_NETLINK_QUEUE
CONFIG_NETFILTER_TPROXY
CONFIG_NETFILTER_XTABLES
CONFIG_NETFILTER_XT_CONNMARK
CONFIG_NETFILTER_XT_MARK
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE
CONFIG_NETFILTER_XT_MATCH_CLUSTER
CONFIG_NETFILTER_XT_MATCH_COMMENT
CONFIG_NETFILTER_XT_MATCH_CONNBYTES
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT
CONFIG_NETFILTER_XT_MATCH_CONNMARK
CONFIG_NETFILTER_XT_MATCH_CONNTRACK
CONFIG_NETFILTER_XT_MATCH_CPU
CONFIG_NETFILTER_XT_MATCH_DCCP
CONFIG_NETFILTER_XT_MATCH_DEVGROUP
CONFIG_NETFILTER_XT_MATCH_DSCP
CONFIG_NETFILTER_XT_MATCH_ECN
CONFIG_NETFILTER_XT_MATCH_ESP
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT
CONFIG_NETFILTER_XT_MATCH_HELPER
CONFIG_NETFILTER_XT_MATCH_HL
CONFIG_NETFILTER_XT_MATCH_IPRANGE
CONFIG_NETFILTER_XT_MATCH_LENGTH
CONFIG_NETFILTER_XT_MATCH_LIMIT
CONFIG_NETFILTER_XT_MATCH_MAC
CONFIG_NETFILTER_XT_MATCH_MARK
CONFIG_NETFILTER_XT_MATCH_MULTIPORT
CONFIG_NETFILTER_XT_MATCH_NFACCT
CONFIG_NETFILTER_XT_MATCH_OSF
CONFIG_NETFILTER_XT_MATCH_OWNER
CONFIG_NETFILTER_XT_MATCH_PKTTYPE
CONFIG_NETFILTER_XT_MATCH_POLICY
CONFIG_NETFILTER_XT_MATCH_QUOTA
CONFIG_NETFILTER_XT_MATCH_QUOTA2
CONFIG_NETFILTER_XT_MATCH_RATEEST
CONFIG_NETFILTER_XT_MATCH_REALM
CONFIG_NETFILTER_XT_MATCH_RECENT
CONFIG_NETFILTER_XT_MATCH_SCTP
CONFIG_NETFILTER_XT_MATCH_SOCKET
CONFIG_NETFILTER_XT_MATCH_STATE
CONFIG_NETFILTER_XT_MATCH_STATISTIC
CONFIG_NETFILTER_XT_MATCH_STRING
CONFIG_NETFILTER_XT_MATCH_TCPMSS
CONFIG_NETFILTER_XT_MATCH_TIME
CONFIG_NETFILTER_XT_MATCH_U32
CONFIG_NETFILTER_XT_TARGET_AUDIT
CONFIG_NETFILTER_XT_TARGET_CHECKSUM
CONFIG_NETFILTER_XT_TARGET_CLASSIFY
CONFIG_NETFILTER_XT_TARGET_CONNMARK
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK
CONFIG_NETFILTER_XT_TARGET_CT
CONFIG_NETFILTER_XT_TARGET_DSCP
CONFIG_NETFILTER_XT_TARGET_HL
CONFIG_NETFILTER_XT_TARGET_IDLETIMER
CONFIG_NETFILTER_XT_TARGET_LED
CONFIG_NETFILTER_XT_TARGET_LOG
CONFIG_NETFILTER_XT_TARGET_MARK
CONFIG_NETFILTER_XT_TARGET_NFLOG
CONFIG_NETFILTER_XT_TARGET_NFQUEUE
CONFIG_NETFILTER_XT_TARGET_NOTRACK
CONFIG_NETFILTER_XT_TARGET_RATEEST
CONFIG_NETFILTER_XT_TARGET_SECMARK
CONFIG_NETFILTER_XT_TARGET_TCPMSS
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP
CONFIG_NETFILTER_XT_TARGET_TEE
CONFIG_NETFILTER_XT_TARGET_TPROXY
CONFIG_NETFILTER_XT_TARGET_TRACE
CONFIG_NF_CONNTRACK_ZONES
CONFIG_IP6_NF_FILTER
CONFIG_IP6_NF_IPTABLES
CONFIG_IP6_NF_MANGLE
CONFIG_IP6_NF_MATCH_AH
CONFIG_IP6_NF_MATCH_EUI64
CONFIG_IP6_NF_MATCH_FRAG
CONFIG_IP6_NF_MATCH_HL
CONFIG_IP6_NF_MATCH_IPV6HEADER
CONFIG_IP6_NF_MATCH_MH
CONFIG_IP6_NF_MATCH_OPTS
CONFIG_IP6_NF_MATCH_RPFILTER
CONFIG_IP6_NF_MATCH_RT
CONFIG_IP6_NF_QUEUE
CONFIG_IP6_NF_RAW
CONFIG_IP6_NF_SECURITY
CONFIG_IP6_NF_TARGET_HL
CONFIG_IP6_NF_TARGET_REJECT
CONFIG_IP6_NF_TARGET_REJECT_SKERR
CONFIG_DNS_RESOLVER
CONFIG_IOSCHED_DEADLINE
CONFIG_SUSPEND_TIME
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS
CONFIG_CONSOLE_TRANSLATIONS
CONFIG_EVM
CONFIG_INTEGRITY_SIGNATURE
CONFIG_FHANDLE
CONFIG_EPOLL
CONFIG_SIGNALFD
CONFIG_TIMERFD
CONFIG_TMPFS_POSIX_ACL
"
CONFIGS_OFF="
CONFIG_NETPRIO_CGROUP
CONFIG_NET_CLS_CGROUP
CONFIG_FW_LOADER_USER_HELPER
CONFIG_ANDROID_LOW_MEMORY_KILLER
CONFIG_ANDROID_PARANOID_NETWORK
CONFIG_DEFAULT_SECURITY_DAC
CONFIG_DEFAULT_SECURITY_SELINUX
CONFIG_DEFAULT_SECURITY_TOMOYO
CONFIG_DEFAULT_SECURITY_YAMA
CONFIG_DEFAULT_SECURITY_SMACK
CONFIG_SECURITY_APPARMOR_STATS
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
CONFIG_BT_HCIBTUSB
CONFIG_BT_HCIBTSDIO
CONFIG_BT_HCIUART
CONFIG_BT_HCIBCM203X
CONFIG_BT_HCIBPA10X
CONFIG_BT_HCIBFUSB
CONFIG_BT_HCIVHCI
CONFIG_BT_MRVL
CONFIG_AF_RXRPC
CONFIG_KEYS_DEBUG_PROC_KEYS
CONFIG_XFRM_MIGRATE
CONFIG_XFRM_STATISTICS
CONFIG_XFRM_SUB_POLICY
CONFIG_COMPAT_BRK
CONFIG_DEVKMEM
CONFIG_NETFILTER_DEBUG
CONFIG_IP_SET
CONFIG_IP_VS
CONFIG_RT_GROUP_SCHED
CONFIG_ARM_UNWIND
CONFIG_VT_HW_CONSOLE_BINDING
CONFIG_FRAMEBUFFER_CONSOLE
CONFIG_SPEAKUP
CONFIG_CIFS_UPCALL
CONFIG_CIFS_DFS_UPCALL
CONFIG_KGDB
"
CONFIGS_EQ="
CONFIG_DEFAULT_SECURITY=\"apparmor\"
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_SECURITY_TOMOYO_POLICY_LOADER=\"/sbin/tomoyo-init\"
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER=\"/sbin/init\"
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
CONFIG_DEFAULT_IOSCHED=\"deadline\"
CONFIG_EVM_HMAC_VERSION=2
"
ered() {
echo -e "\033[31m" $@
}
egreen() {
echo -e "\033[32m" $@
}
ewhite() {
echo -e "\033[37m" $@
}
echo -e "\n\nChecking config file for Halium specific config options.\n\n"
errors=0
fixes=0
for c in $CONFIGS_ON $CONFIGS_OFF;do
cnt=`grep -w -c $c $FILE`
if [ $cnt -gt 1 ];then
ered "$c appears more than once in the config file, fix this"
errors=$((errors+1))
fi
if [ $cnt -eq 0 ];then
if $write ; then
ewhite "Creating $c"
echo "# $c is not set" >> "$FILE"
fixes=$((fixes+1))
else
ered "$c is neither enabled nor disabled in the config file"
errors=$((errors+1))
fi
fi
done
for c in $CONFIGS_ON;do
if grep "$c=y\|$c=m" "$FILE" >/dev/null;then
egreen "$c is already set"
else
if $write ; then
ewhite "Setting $c"
sed -i "s,# $c is not set,$c=y," "$FILE"
fixes=$((fixes+1))
else
ered "$c is not set, set it"
errors=$((errors+1))
fi
fi
done
for c in $CONFIGS_EQ;do
lhs=$(awk -F= '{ print $1 }' <(echo $c))
rhs=$(awk -F= '{ print $2 }' <(echo $c))
if grep "^$c" "$FILE" >/dev/null;then
egreen "$c is already set correctly."
continue
elif grep "^$lhs" "$FILE" >/dev/null;then
cur=$(awk -F= '{ print $2 }' <(grep "$lhs" "$FILE"))
ered "$lhs is set, but to $cur not $rhs."
if $write ; then
egreen "Setting $c correctly"
sed -i 's,^'"$lhs"'.*,# '"$lhs"' was '"$cur"'\n'"$c"',' "$FILE"
fixes=$((fixes+1))
fi
else
if $write ; then
ewhite "Setting $c"
echo "$c" >> "$FILE"
fixes=$((fixes+1))
else
ered "$c is not set"
errors=$((errors+1))
fi
fi
done
for c in $CONFIGS_OFF;do
if grep "$c=y\|$c=m" "$FILE" >/dev/null;then
if $write ; then
ewhite "Unsetting $c"
sed -i "s,$c=.*,# $c is not set," $FILE
fixes=$((fixes+1))
else
ered "$c is set, unset it"
errors=$((errors+1))
fi
else
egreen "$c is already unset"
fi
done
if [ $errors -eq 0 ];then
egreen "\n\nConfig file checked, found no errors.\n\n"
else
ered "\n\nConfig file checked, found $errors errors that I did not fix.\n\n"
fi
if [ $fixes -gt 0 ];then
egreen "Made $fixes fixes.\n\n"
fi
ewhite " "