373 lines
8.5 KiB
Bash
Executable File
373 lines
8.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
FILE=$1
|
|
|
|
[ -f "$FILE" ] || {
|
|
echo "Provide a config file as argument"
|
|
exit
|
|
}
|
|
|
|
write=false
|
|
|
|
if [ "$2" = "-w" ]; then
|
|
write=true
|
|
fi
|
|
|
|
CONFIGS_ON="
|
|
CONFIG_IKCONFIG
|
|
CONFIG_CPUSETS
|
|
CONFIG_AUTOFS4_FS
|
|
CONFIG_TMPFS_XATTR
|
|
CONFIG_TMPFS_POSIX_ACL
|
|
CONFIG_CGROUP_DEVICE
|
|
CONFIG_CGROUP_MEM_RES_CTLR
|
|
CONFIG_CGROUP_MEM_RES_CTLR_SWAP
|
|
CONFIG_CGROUP_MEM_RES_CTLR_KMEM
|
|
CONFIG_RTC_DRV_CMOS
|
|
CONFIG_BLK_CGROUP
|
|
CONFIG_CGROUP_PERF
|
|
CONFIG_IKCONFIG_PROC
|
|
CONFIG_SYSVIPC
|
|
CONFIG_CGROUPS
|
|
CONFIG_CGROUP_FREEZER
|
|
CONFIG_NAMESPACES
|
|
CONFIG_UTS_NS
|
|
CONFIG_IPC_NS
|
|
CONFIG_USER_NS
|
|
CONFIG_PID_NS
|
|
CONFIG_NET_NS
|
|
CONFIG_AUDIT
|
|
CONFIG_AUDITSYSCALL
|
|
CONFIG_AUDIT_TREE
|
|
CONFIG_AUDIT_WATCH
|
|
CONFIG_CC_STACKPROTECTOR
|
|
CONFIG_DEBUG_RODATA
|
|
CONFIG_DEVTMPFS
|
|
CONFIG_DEVTMPFS_MOUNT
|
|
CONFIG_DEVPTS_MULTIPLE_INSTANCES
|
|
CONFIG_ECRYPT_FS
|
|
CONFIG_ECRYPT_FS_MESSAGING
|
|
CONFIG_ENCRYPTED_KEYS
|
|
CONFIG_EXT4_FS_POSIX_ACL
|
|
CONFIG_EXT4_FS_SECURITY
|
|
CONFIG_FSNOTIFY
|
|
CONFIG_DNOTIFY
|
|
CONFIG_INOTIFY_USER
|
|
CONFIG_FANOTIFY
|
|
CONFIG_FANOTIFY_ACCESS_PERMISSIONS
|
|
CONFIG_KEYS
|
|
CONFIG_SWAP
|
|
CONFIG_VT
|
|
CONFIG_VT_CONSOLE
|
|
CONFIG_SECCOMP
|
|
CONFIG_SECURITY
|
|
CONFIG_SECURITYFS
|
|
CONFIG_SECURITY_NETWORK
|
|
CONFIG_NETLABEL
|
|
CONFIG_SECURITY_PATH
|
|
CONFIG_SECURITY_SELINUX
|
|
CONFIG_SECURITY_SELINUX_BOOTPARAM
|
|
CONFIG_SECURITY_SELINUX_DISABLE
|
|
CONFIG_SECURITY_SELINUX_DEVELOP
|
|
CONFIG_SECURITY_SELINUX_AVC_STATS
|
|
CONFIG_SECURITY_SMACK
|
|
CONFIG_SECURITY_TOMOYO
|
|
CONFIG_DEFAULT_SECURITY_APPARMOR
|
|
CONFIG_SECURITY_APPARMOR
|
|
CONFIG_SECURITY_APPARMOR_HASH
|
|
CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT
|
|
CONFIG_SECURITY_YAMA
|
|
CONFIG_SECURITY_YAMA_STACKED
|
|
CONFIG_STRICT_DEVMEM
|
|
CONFIG_SYN_COOKIES
|
|
CONFIG_BT
|
|
CONFIG_BT_RFCOMM
|
|
CONFIG_BT_RFCOMM_TTY
|
|
CONFIG_BT_BNEP
|
|
CONFIG_BT_BNEP_MC_FILTER
|
|
CONFIG_BT_BNEP_PROTO_FILTER
|
|
CONFIG_BT_HIDP
|
|
CONFIG_XFRM_USER
|
|
CONFIG_NET_KEY
|
|
CONFIG_INET
|
|
CONFIG_IP_ADVANCED_ROUTER
|
|
CONFIG_IP_MULTIPLE_TABLES
|
|
CONFIG_INET_AH
|
|
CONFIG_INET_ESP
|
|
CONFIG_INET_IPCOMP
|
|
CONFIG_INET_XFRM_MODE_TRANSPORT
|
|
CONFIG_INET_XFRM_MODE_TUNNEL
|
|
CONFIG_INET_XFRM_MODE_BEET
|
|
CONFIG_IPV6
|
|
CONFIG_INET6_AH
|
|
CONFIG_INET6_ESP
|
|
CONFIG_INET6_IPCOMP
|
|
CONFIG_INET6_XFRM_MODE_TRANSPORT
|
|
CONFIG_INET6_XFRM_MODE_TUNNEL
|
|
CONFIG_INET6_XFRM_MODE_BEET
|
|
CONFIG_IPV6_MULTIPLE_TABLES
|
|
CONFIG_NETFILTER
|
|
CONFIG_NETFILTER_ADVANCED
|
|
CONFIG_NETFILTER_NETLINK
|
|
CONFIG_NETFILTER_NETLINK_ACCT
|
|
CONFIG_NETFILTER_NETLINK_LOG
|
|
CONFIG_NETFILTER_NETLINK_QUEUE
|
|
CONFIG_NETFILTER_TPROXY
|
|
CONFIG_NETFILTER_XTABLES
|
|
CONFIG_NETFILTER_XT_CONNMARK
|
|
CONFIG_NETFILTER_XT_MARK
|
|
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE
|
|
CONFIG_NETFILTER_XT_MATCH_CLUSTER
|
|
CONFIG_NETFILTER_XT_MATCH_COMMENT
|
|
CONFIG_NETFILTER_XT_MATCH_CONNBYTES
|
|
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT
|
|
CONFIG_NETFILTER_XT_MATCH_CONNMARK
|
|
CONFIG_NETFILTER_XT_MATCH_CONNTRACK
|
|
CONFIG_NETFILTER_XT_MATCH_CPU
|
|
CONFIG_NETFILTER_XT_MATCH_DCCP
|
|
CONFIG_NETFILTER_XT_MATCH_DEVGROUP
|
|
CONFIG_NETFILTER_XT_MATCH_DSCP
|
|
CONFIG_NETFILTER_XT_MATCH_ECN
|
|
CONFIG_NETFILTER_XT_MATCH_ESP
|
|
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT
|
|
CONFIG_NETFILTER_XT_MATCH_HELPER
|
|
CONFIG_NETFILTER_XT_MATCH_HL
|
|
CONFIG_NETFILTER_XT_MATCH_IPRANGE
|
|
CONFIG_NETFILTER_XT_MATCH_LENGTH
|
|
CONFIG_NETFILTER_XT_MATCH_LIMIT
|
|
CONFIG_NETFILTER_XT_MATCH_MAC
|
|
CONFIG_NETFILTER_XT_MATCH_MARK
|
|
CONFIG_NETFILTER_XT_MATCH_MULTIPORT
|
|
CONFIG_NETFILTER_XT_MATCH_NFACCT
|
|
CONFIG_NETFILTER_XT_MATCH_OSF
|
|
CONFIG_NETFILTER_XT_MATCH_OWNER
|
|
CONFIG_NETFILTER_XT_MATCH_PKTTYPE
|
|
CONFIG_NETFILTER_XT_MATCH_POLICY
|
|
CONFIG_NETFILTER_XT_MATCH_QUOTA
|
|
CONFIG_NETFILTER_XT_MATCH_QUOTA2
|
|
CONFIG_NETFILTER_XT_MATCH_RATEEST
|
|
CONFIG_NETFILTER_XT_MATCH_REALM
|
|
CONFIG_NETFILTER_XT_MATCH_RECENT
|
|
CONFIG_NETFILTER_XT_MATCH_SCTP
|
|
CONFIG_NETFILTER_XT_MATCH_SOCKET
|
|
CONFIG_NETFILTER_XT_MATCH_STATE
|
|
CONFIG_NETFILTER_XT_MATCH_STATISTIC
|
|
CONFIG_NETFILTER_XT_MATCH_STRING
|
|
CONFIG_NETFILTER_XT_MATCH_TCPMSS
|
|
CONFIG_NETFILTER_XT_MATCH_TIME
|
|
CONFIG_NETFILTER_XT_MATCH_U32
|
|
CONFIG_NETFILTER_XT_TARGET_AUDIT
|
|
CONFIG_NETFILTER_XT_TARGET_CHECKSUM
|
|
CONFIG_NETFILTER_XT_TARGET_CLASSIFY
|
|
CONFIG_NETFILTER_XT_TARGET_CONNMARK
|
|
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK
|
|
CONFIG_NETFILTER_XT_TARGET_CT
|
|
CONFIG_NETFILTER_XT_TARGET_DSCP
|
|
CONFIG_NETFILTER_XT_TARGET_HL
|
|
CONFIG_NETFILTER_XT_TARGET_IDLETIMER
|
|
CONFIG_NETFILTER_XT_TARGET_LED
|
|
CONFIG_NETFILTER_XT_TARGET_LOG
|
|
CONFIG_NETFILTER_XT_TARGET_MARK
|
|
CONFIG_NETFILTER_XT_TARGET_NFLOG
|
|
CONFIG_NETFILTER_XT_TARGET_NFQUEUE
|
|
CONFIG_NETFILTER_XT_TARGET_NOTRACK
|
|
CONFIG_NETFILTER_XT_TARGET_RATEEST
|
|
CONFIG_NETFILTER_XT_TARGET_SECMARK
|
|
CONFIG_NETFILTER_XT_TARGET_TCPMSS
|
|
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP
|
|
CONFIG_NETFILTER_XT_TARGET_TEE
|
|
CONFIG_NETFILTER_XT_TARGET_TPROXY
|
|
CONFIG_NETFILTER_XT_TARGET_TRACE
|
|
CONFIG_NF_CONNTRACK_ZONES
|
|
CONFIG_IP6_NF_FILTER
|
|
CONFIG_IP6_NF_IPTABLES
|
|
CONFIG_IP6_NF_MANGLE
|
|
CONFIG_IP6_NF_MATCH_AH
|
|
CONFIG_IP6_NF_MATCH_EUI64
|
|
CONFIG_IP6_NF_MATCH_FRAG
|
|
CONFIG_IP6_NF_MATCH_HL
|
|
CONFIG_IP6_NF_MATCH_IPV6HEADER
|
|
CONFIG_IP6_NF_MATCH_MH
|
|
CONFIG_IP6_NF_MATCH_OPTS
|
|
CONFIG_IP6_NF_MATCH_RPFILTER
|
|
CONFIG_IP6_NF_MATCH_RT
|
|
CONFIG_IP6_NF_QUEUE
|
|
CONFIG_IP6_NF_RAW
|
|
CONFIG_IP6_NF_SECURITY
|
|
CONFIG_IP6_NF_TARGET_HL
|
|
CONFIG_IP6_NF_TARGET_REJECT
|
|
CONFIG_IP6_NF_TARGET_REJECT_SKERR
|
|
CONFIG_DNS_RESOLVER
|
|
CONFIG_IOSCHED_DEADLINE
|
|
CONFIG_SUSPEND_TIME
|
|
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS
|
|
CONFIG_CONSOLE_TRANSLATIONS
|
|
CONFIG_EVM
|
|
CONFIG_INTEGRITY_SIGNATURE
|
|
CONFIG_FHANDLE
|
|
CONFIG_EPOLL
|
|
CONFIG_SIGNALFD
|
|
CONFIG_TIMERFD
|
|
CONFIG_TMPFS_POSIX_ACL
|
|
"
|
|
|
|
CONFIGS_OFF="
|
|
CONFIG_NETPRIO_CGROUP
|
|
CONFIG_NET_CLS_CGROUP
|
|
CONFIG_FW_LOADER_USER_HELPER
|
|
CONFIG_ANDROID_LOW_MEMORY_KILLER
|
|
CONFIG_ANDROID_PARANOID_NETWORK
|
|
CONFIG_DEFAULT_SECURITY_DAC
|
|
CONFIG_DEFAULT_SECURITY_SELINUX
|
|
CONFIG_DEFAULT_SECURITY_TOMOYO
|
|
CONFIG_DEFAULT_SECURITY_YAMA
|
|
CONFIG_DEFAULT_SECURITY_SMACK
|
|
CONFIG_SECURITY_APPARMOR_STATS
|
|
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
|
|
CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
|
|
CONFIG_BT_HCIBTUSB
|
|
CONFIG_BT_HCIBTSDIO
|
|
CONFIG_BT_HCIUART
|
|
CONFIG_BT_HCIBCM203X
|
|
CONFIG_BT_HCIBPA10X
|
|
CONFIG_BT_HCIBFUSB
|
|
CONFIG_BT_HCIVHCI
|
|
CONFIG_BT_MRVL
|
|
CONFIG_AF_RXRPC
|
|
CONFIG_KEYS_DEBUG_PROC_KEYS
|
|
CONFIG_XFRM_MIGRATE
|
|
CONFIG_XFRM_STATISTICS
|
|
CONFIG_XFRM_SUB_POLICY
|
|
CONFIG_COMPAT_BRK
|
|
CONFIG_DEVKMEM
|
|
CONFIG_NETFILTER_DEBUG
|
|
CONFIG_IP_SET
|
|
CONFIG_IP_VS
|
|
CONFIG_RT_GROUP_SCHED
|
|
CONFIG_ARM_UNWIND
|
|
CONFIG_VT_HW_CONSOLE_BINDING
|
|
CONFIG_FRAMEBUFFER_CONSOLE
|
|
CONFIG_SPEAKUP
|
|
CONFIG_CIFS_UPCALL
|
|
CONFIG_CIFS_DFS_UPCALL
|
|
CONFIG_KGDB
|
|
"
|
|
CONFIGS_EQ="
|
|
CONFIG_DEFAULT_SECURITY=\"apparmor\"
|
|
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
|
|
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
|
|
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
|
|
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
|
|
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
|
|
CONFIG_SECURITY_TOMOYO_POLICY_LOADER=\"/sbin/tomoyo-init\"
|
|
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER=\"/sbin/init\"
|
|
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
|
|
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
|
|
CONFIG_DEFAULT_IOSCHED=\"deadline\"
|
|
CONFIG_EVM_HMAC_VERSION=2
|
|
"
|
|
|
|
ered() {
|
|
echo -e "\033[31m" $@
|
|
}
|
|
|
|
egreen() {
|
|
echo -e "\033[32m" $@
|
|
}
|
|
|
|
ewhite() {
|
|
echo -e "\033[37m" $@
|
|
}
|
|
|
|
echo -e "\n\nChecking config file for Halium specific config options.\n\n"
|
|
|
|
errors=0
|
|
fixes=0
|
|
|
|
for c in $CONFIGS_ON $CONFIGS_OFF;do
|
|
cnt=`grep -w -c $c $FILE`
|
|
if [ $cnt -gt 1 ];then
|
|
ered "$c appears more than once in the config file, fix this"
|
|
errors=$((errors+1))
|
|
fi
|
|
|
|
if [ $cnt -eq 0 ];then
|
|
if $write ; then
|
|
ewhite "Creating $c"
|
|
echo "# $c is not set" >> "$FILE"
|
|
fixes=$((fixes+1))
|
|
else
|
|
ered "$c is neither enabled nor disabled in the config file"
|
|
errors=$((errors+1))
|
|
fi
|
|
fi
|
|
done
|
|
|
|
for c in $CONFIGS_ON;do
|
|
if grep "$c=y\|$c=m" "$FILE" >/dev/null;then
|
|
egreen "$c is already set"
|
|
else
|
|
if $write ; then
|
|
ewhite "Setting $c"
|
|
sed -i "s,# $c is not set,$c=y," "$FILE"
|
|
fixes=$((fixes+1))
|
|
else
|
|
ered "$c is not set, set it"
|
|
errors=$((errors+1))
|
|
fi
|
|
fi
|
|
done
|
|
|
|
for c in $CONFIGS_EQ;do
|
|
lhs=$(awk -F= '{ print $1 }' <(echo $c))
|
|
rhs=$(awk -F= '{ print $2 }' <(echo $c))
|
|
if grep "^$c" "$FILE" >/dev/null;then
|
|
egreen "$c is already set correctly."
|
|
continue
|
|
elif grep "^$lhs" "$FILE" >/dev/null;then
|
|
cur=$(awk -F= '{ print $2 }' <(grep "$lhs" "$FILE"))
|
|
ered "$lhs is set, but to $cur not $rhs."
|
|
if $write ; then
|
|
egreen "Setting $c correctly"
|
|
sed -i 's,^'"$lhs"'.*,# '"$lhs"' was '"$cur"'\n'"$c"',' "$FILE"
|
|
fixes=$((fixes+1))
|
|
fi
|
|
else
|
|
if $write ; then
|
|
ewhite "Setting $c"
|
|
echo "$c" >> "$FILE"
|
|
fixes=$((fixes+1))
|
|
else
|
|
ered "$c is not set"
|
|
errors=$((errors+1))
|
|
fi
|
|
fi
|
|
done
|
|
|
|
for c in $CONFIGS_OFF;do
|
|
if grep "$c=y\|$c=m" "$FILE" >/dev/null;then
|
|
if $write ; then
|
|
ewhite "Unsetting $c"
|
|
sed -i "s,$c=.*,# $c is not set," $FILE
|
|
fixes=$((fixes+1))
|
|
else
|
|
ered "$c is set, unset it"
|
|
errors=$((errors+1))
|
|
fi
|
|
else
|
|
egreen "$c is already unset"
|
|
fi
|
|
done
|
|
|
|
if [ $errors -eq 0 ];then
|
|
egreen "\n\nConfig file checked, found no errors.\n\n"
|
|
else
|
|
ered "\n\nConfig file checked, found $errors errors that I did not fix.\n\n"
|
|
fi
|
|
|
|
if [ $fixes -gt 0 ];then
|
|
egreen "Made $fixes fixes.\n\n"
|
|
fi
|
|
|
|
ewhite " "
|