From a4f1ad75ed26528c5ebed659d31ee82bde1bce9f Mon Sep 17 00:00:00 2001 From: Rod Smith Date: Wed, 16 Oct 2019 19:20:25 -0400 Subject: Added kernel taint test --- bin/kernel_taint_test | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100755 bin/kernel_taint_test (limited to 'bin') diff --git a/bin/kernel_taint_test b/bin/kernel_taint_test new file mode 100755 index 00000000..976ccb6b --- /dev/null +++ b/bin/kernel_taint_test @@ -0,0 +1,93 @@ +#!/usr/bin/env python3 +""" +Test that the kernel is not "tainted" by out-of-tree drivers, etc. + +Copyright (C) 2019 Canonical Ltd. + +Authors: + Rod Smith + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License version 3, +as published by the Free Software Foundation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . + +This script examines the /proc/sys/kernel/tainted file (or a user-specified +file, for debugging purposes) and parses the contents to determine if the +kernel is tainted. If so, the script reports the nature of the taint and +returns a value of 1. The script also returns a value of 1 if +# /proc/sys/kernel/tainted cannot be found or opened. If the kernel is NOT +# tainted, the script notes this fact and returns 0. +""" + + +import sys +from argparse import ArgumentParser + + +# Note: If max_taints is increased, add descriptions to taint_meanings in +# report_failures() +max_taints = 17 + + +def find_taints(taint_file): + """Read the kernel-taint file.""" + try: + f = open(taint_file, "r") + taints = int(f.read()) + except OSError: + taints = 2**(max_taints+1) # Set so we have a non-0 value to return + print("Kernel taint file ({}) not found!".format(taint_file)) + print("Kernel taint value is {}".format(taints)) + return(taints) + + +def report_failures(taints): + """Report the failure code and its meaning(s).""" + # Below meaning strings are taken from + # https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels_html + taint_meanings = ["proprietary module was loaded", + "module was force loaded", + "SMP kernel oops on an officially SMP incapable CPU", + "module was force unloaded", + "processor reported a Machine Check Exception (MCE)", + "bad page referenced or some unexpected page flags", + "taint requested by userspace application", + "kernel died recently, i.e. there was an OOPS or BUG", + "ACPI table overridden by user", + "kernel issued warning", + "staging driver was loaded", + "workaround for bug in platform firmware applied", + "externally-built ('out-of-tree') module was loaded", + "unsigned module was loaded", + "soft lockup occurred", + "kernel has been live patched", + "auxiliary taint, defined for and used by distros", + "kernel was built with the struct randomization plugin"] + for i in range(max_taints+1): + if (taints & (2 ** i)): + print("Taint bit value: {} ({})".format(i, taint_meanings[i])) + if taints == 0: + print("No kernel taints detected.") + + +def main(): + parser = ArgumentParser() + parser.add_argument('--taint-file', + default="/proc/sys/kernel/tainted", + help='The file that holds the taint information') + args = parser.parse_args() + taints = find_taints(args.taint_file) + report_failures(taints) + return(taints > 0) + + +if __name__ == '__main__': + sys.exit(main()) -- cgit v1.2.3