github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2026-04-03 16:09:46 +00:00
Code Issues Projects Releases Wiki Activity
Files
843f7583b8e221bb5b7c596cd6b235cae835b6fc
linuxkit/test/pkg/kernel-config/check-kernel-config.sh
Rolf Neugebauer 5fae83934d tests: Remove rootfs from kernel config test 
The rootfs fs was removed in 5.3.x but was mostly a
irrelevant entry in the filesystems list anyway.

Here is the upstream commit:

commit fd3e007f6c6a0f677e4ee8aca4b9bab8ad6cab9a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu May 30 17:48:35 2019 -0400

    don't bother with registering rootfs

    init_mount_tree() can get to rootfs_fs_type directly and that simplifies
    a lot of things.  We don't need to register it, we don't need to look
    it up *and* we don't need to bother with preventing subsequent userland
    mounts.  That's the way we should've done that from the very beginning.

    There is a user-visible change, namely the disappearance of "rootfs"
    from /proc/filesystems.  Note that it's been unmountable all along
    and it didn't show up in /proc/mounts; however, it *is* a user-visible
    change and theoretically some script might've been using its presence
    in /proc/filesystems to tell 2.4.11+ from earlier kernels.

    *IF* any complaints about behaviour change do show up, we could fake
    it in /proc/filesystems.  I very much doubt we'll have to, though.

    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2019-10-02 19:46:52 +01:00

183 lines
7.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
set -e
function fail {
printf "FAILURE: $1\n"
FAILED=1
}
echo "starting kernel config sanity test with ${1:-/proc/config.gz}"
if [ -n "$1" ]; then
UNZIPPED_CONFIG=$(cat "$1")
else
# decompress /proc/config.gz from the host
UNZIPPED_CONFIG=$(zcat /proc/config.gz)
fi
if [ -n "$2" ]; then
kernelVersion="$2"
else
kernelVersion="$(uname -r)"
fi
kernelMajor="${kernelVersion%%.*}"
kernelMinor="${kernelVersion#$kernelMajor.}"
kernelMinor="${kernelMinor%%.*}"
arch="$(uname -m)"
# Most tests against https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
# Positive cases
echo $UNZIPPED_CONFIG | grep -q CONFIG_BUG=y || fail "CONFIG_BUG=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_KERNEL=y || fail "CONFIG_DEBUG_KERNEL=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_STRICT_DEVMEM=y || fail "CONFIG_STRICT_DEVMEM=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_SYN_COOKIES=y || fail "CONFIG_SYN_COOKIES=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_CREDENTIALS=y || fail "CONFIG_DEBUG_CREDENTIALS=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_NOTIFIERS=y || fail "CONFIG_DEBUG_NOTIFIERS=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_LIST=y || fail "CONFIG_DEBUG_LIST=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_SECCOMP=y || fail "CONFIG_SECCOMP=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_SECCOMP_FILTER=y || fail "CONFIG_SECCOMP_FILTER=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_SECURITY=y || fail "CONFIG_SECURITY=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_SECURITY_YAMA=y || fail "CONFIG_SECURITY_YAMA=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_PANIC_ON_OOPS=y || fail "CONFIG_PANIC_ON_OOPS=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_SYN_COOKIES=y || fail "CONFIG_SYN_COOKIES=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_BPF_JIT_ALWAYS_ON=y || fail "CONFIG_BPF_JIT_ALWAYS_ON=y"
# Conditional on kernel version
if [ "$kernelMajor" -eq 4 -a "$kernelMinor" -le 10 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_RODATA=y || fail "CONFIG_DEBUG_RODATA=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_DEBUG_SET_MODULE_RONX=y || fail "CONFIG_DEBUG_SET_MODULE_RONX=y"
fi
# Options added in newer kernels
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 5 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_UBSAN=y || fail "CONFIG_UBSAN=y"
fi
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 7 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_SLAB_FREELIST_RANDOM=y || fail "CONFIG_SLAB_FREELIST_RANDOM=y"
fi
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 8 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_HARDENED_USERCOPY=y || fail "CONFIG_HARDENED_USERCOPY=y"
fi
# 4.18.x renamed this option (and re-introduced CC_STACKPROTECTOR as STACKPROTECTOR)
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -le 4 -a "$kernelMinor" -ge 18 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_STACKPROTECTOR=y || fail "CONFIG_STACKPROTECTOR=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_STACKPROTECTOR_STRONG=y || fail "CONFIG_STACKPROTECTOR_STRONG=y"
else
echo $UNZIPPED_CONFIG | grep -q CONFIG_CC_STACKPROTECTOR_STRONG=y || fail "CONFIG_CC_STACKPROTECTOR_STRONG=y"
fi
# poisoning cannot be enabled in 4.4
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 9 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_PAGE_POISONING=y || fail "CONFIG_PAGE_POISONING=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_PAGE_POISONING_NO_SANITY=y || fail "CONFIG_PAGE_POISONING_NO_SANITY=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_PAGE_POISONING_ZERO=y || fail "CONFIG_PAGE_POISONING_ZERO=y"
fi
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 10 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_BUG_ON_DATA_CORRUPTION=y || fail "CONFIG_BUG_ON_DATA_CORRUPTION=y"
fi
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 11 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_STRICT_KERNEL_RWX=y || fail "CONFIG_STRICT_KERNEL_RWX=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_STRICT_MODULE_RWX=y || fail "CONFIG_STRICT_MODULE_RWX=y"
fi
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 5 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_RANDOMIZE_BASE=y || fail "CONFIG_RANDOMIZE_BASE=y"
fi
# Positive cases conditional on architecture and/or kernel version
if [ "$arch" = "x86_64" ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_LEGACY_VSYSCALL_NONE=y || fail "CONFIG_LEGACY_VSYSCALL_NONE=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_PAGE_TABLE_ISOLATION=y || fail "CONFIG_PAGE_TABLE_ISOLATION=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_RETPOLINE=y || fail "CONFIG_RETPOLINE=y"
echo $UNZIPPED_CONFIG | grep -q CONFIG_GENERIC_CPU_VULNERABILITIES=y || fail "CONFIG_GENERIC_CPU_VULNERABILITIES=y"
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 5 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_IO_STRICT_DEVMEM=y || fail "CONFIG_IO_STRICT_DEVMEM=y"
fi
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 8 ]; then
echo $UNZIPPED_CONFIG | grep -q CONFIG_RANDOMIZE_MEMORY=y || fail "CONFIG_RANDOMIZE_MEMORY=y"
fi
fi
# Negative cases
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_COMPAT_BRK is not set' || fail "CONFIG_COMPAT_BRK is not set"
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_SCSI_PROC_FS is not set' || fail "CONFIG_SCSI_PROC_FS is not set"
# Negative cases conditional on architecture and/or kernel version
if [ "$arch" = "x86_64" ]; then
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_ACPI_CUSTOM_METHOD is not set' || fail "CONFIG_ACPI_CUSTOM_METHOD is not set"
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_DEVKMEM is not set' || fail "CONFIG_DEVKMEM is not set"
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_COMPAT_VDSO is not set' || fail "CONFIG_COMPAT_VDSO is not set"
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_KEXEC is not set' || fail "CONFIG_KEXEC is not set"
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_X86_X32 is not set' || fail "CONFIG_X86_X32 is not set"
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_MODIFY_LDT_SYSCALL is not set' || fail "CONFIG_MODIFY_LDT_SYSCALL is not set"
if [ "$kernelMajor" -eq 5 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -ge 5 ]; then
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_LEGACY_PTYS is not set' || fail "CONFIG_LEGACY_PTYS is not set"
echo $UNZIPPED_CONFIG | grep -q 'CONFIG_HIBERNATION is not set' || fail "CONFIG_HIBERNATION is not set"
fi
fi
# modprobe
for mod in \
nfs \
nfsd \
ntfs
do
modprobe $mod 2>/dev/null || true
done
# check filesystems that are built in
for fs in \
sysfs \
tmpfs \
bdev \
proc \
cpuset \
cgroup \
devtmpfs \
binfmt_misc \
debugfs \
tracefs \
securityfs \
sockfs \
bpf \
pipefs \
ramfs \
hugetlbfs \
rpc_pipefs \
devpts \
ext4 \
vfat \
msdos \
iso9660 \
nfs \
nfs4 \
nfsd \
cifs \
ntfs \
fuseblk \
fuse \
fusectl \
overlay \
udf \
xfs \
9p \
pstore \
mqueue
do
grep -q "[[:space:]]${fs}\$" /proc/filesystems || fail "${fs} filesystem missing"
done
if [ "$arch" = "x86_64" ]; then
grep -q "[[:space:]]oprofilefs\$" /proc/filesystems || fail "${fs} filesystem missing"
fi
if [ -z "$FAILED" ]
then
echo "kernel config test succeeded!"
else
echo "kernel config test failed!"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink