Skip to content

Commit

Permalink
kernelCTF: GHA: add mitigation-v3b release without nftables
Browse files Browse the repository at this point in the history
  • Loading branch information
koczkatamas committed Sep 27, 2024
1 parent c6972fc commit 43a5a81
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 8 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/kernelctf-release-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ defaults:
working-directory: kernelctf
jobs:
build:
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
steps:
- name: Checkout repo
uses: actions/checkout@v4
Expand All @@ -50,7 +50,7 @@ jobs:
include-hidden-files: true

upload:
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
needs: build
steps:
- name: Download exploit
Expand Down
18 changes: 16 additions & 2 deletions kernelctf/build_release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,12 @@ case $TARGET in
mitigation)
REPO="https://github.com/thejh/linux"
case $VERSION in
v3-6.1.55)
v3-* | v3b-*)
DEFAULT_BRANCH="mitigations-next"
CONFIG_FN="mitigation-v3.config"
case $VERSION in
v3-6.1.55) CONFIG_FN="mitigation-v3.config" ;;
v3b-6.1.55) CONFIG_FN="mitigation-v3b.config" ;;
esac
CONFIG_FULL_FN="mitigation-v3-full.config"
;;
6.1 | 6.1-v2)
Expand All @@ -57,6 +60,17 @@ CONFIGS_DIR="$BASEDIR/kernel_configs"

if [ -d "$RELEASE_DIR" ]; then echo "Release directory already exists. Stopping."; exit 1; fi

echo "GCC version"
echo "================="
gcc --version || true
echo

echo "Clang version"
echo "================="
clang --version || true
echo "================="
echo

mkdir -p $BUILD_DIR 2>/dev/null || true
cd $BUILD_DIR
if [ ! -d ".git" ]; then git init && git remote add origin $REPO; fi
Expand Down
4 changes: 2 additions & 2 deletions kernelctf/get_latest_kernel_versions.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ def add_release(release_id, branch=None):
global releases
releases.append({ "releaseId": release_id, "branch": branch })

for lts_version in ["6.1", "6.6"]:
for lts_version in ["6.6"]:
latest_lts = run(f"git ls-remote --tags --sort='-v:refname' https://github.com/gregkh/linux 'v{lts_version}.*[0-9]'")[0].split("refs/tags/")[1]
print(f"Latest LTS {lts_version}: {latest_lts}")
add_release(f"lts-{latest_lts[1:]}")

for cos_milestone in [97, 105, 109]:
for cos_milestone in [105, 109]:
release_notes = fetch(f"https://cloud.google.com/feeds/cos-{cos_milestone}-release-notes.xml")
tree = etree.XML(release_notes.encode('utf-8'))
entries = tree.xpath("//*[local-name() = 'content']/text()")
Expand Down
27 changes: 27 additions & 0 deletions kernelctf/kernel_configs/mitigation-v3b.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# CONFIG_IO_URING is not set
CONFIG_SYSTEM_TRUSTED_KEYS=""

## required by CONFIG_KMALLOC_SPLIT_VARSIZE
# CONFIG_SLAB_MERGE_DEFAULT is not set

## turns on our mitigations
CONFIG_KMALLOC_SPLIT_VARSIZE=y
CONFIG_SLAB_VIRTUAL=y

## turns on CONFIG_RANDOM_KMALLOC_CACHES
CONFIG_RANDOM_KMALLOC_CACHES=y

## turns on additional hardenings
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_DEBUG_WX=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_FUSE_FS is not set

### Make the kernel less annoying to debug
## Compile the kernel with debug info
CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
# Have all symbols in kallsyms
CONFIG_KALLSYMS_ALL=y

# CONFIG_NF_TABLES is not set
4 changes: 2 additions & 2 deletions kernelctf/server/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ def get_releases():
del releases[release_id]
continue

m = re.match(r'(?P<target>lts|mitigation(-v3)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
m = re.match(r'(?P<target>lts|mitigation(-v3|-v3b)?|cos-\d+)-(?P<version>\d+(\.\d+)+)', release_id)
if m is None:
warning(f'release {release_id} does not match regex')
del releases[release_id]
Expand Down Expand Up @@ -102,7 +102,7 @@ def print_filtered(name, status_filter):
print_filtered('Deprecated targets', 'deprecated')
else:
print_filtered('Current targets', 'latest')
print_filtered('Future targets', 'future')
print_filtered('Future targets', 'future')

def are_you_sure(prompt):
print(prompt)
Expand Down

0 comments on commit 43a5a81

Please sign in to comment.