linux-support 0.0.25

Comprehensive Linux support for namespaces, cgroups, processes, scheduling, parsing /proc, parsing /sys, signals, hyper threads, CPUS, NUMA nodes, unusual file descriptors, PCI devices and much, much more
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226

// This file is part of linux-support. It is subject to the license terms in the COPYRIGHT file found in the top-level directory of this distribution and at https://raw.githubusercontent.com/lemonrock/linux-support/master/COPYRIGHT. No part of linux-support, including this file, may be copied, modified, propagated, or distributed except according to the terms contained in the COPYRIGHT file.
// Copyright © 2020 The developers of linux-support. See the COPYRIGHT file in the top-level directory of this distribution and at https://raw.githubusercontent.com/lemonrock/linux-support/master/COPYRIGHT.


#[inline(always)]
pub(crate) fn incompatible_settings(linux_kernel_command_line_parameters: &LinuxKernelCommandLineParameters) -> Result<(), &'static str>
{
	if linux_kernel_command_line_parameters.norandmaps()
	{
		return Err("Kernel has `norandmaps` enabled; this isn't secure")
	}

	if linux_kernel_command_line_parameters.nokaslr()
	{
		return Err("Kernel has `nokaslr` enabled; this isn't secure")
	}

	if linux_kernel_command_line_parameters.movable_node()
	{
		return Err("Kernel has `movable_node` enabled; this isn't compatible with this application")
	}

	if linux_kernel_command_line_parameters.nosmp()
	{
		return Err("Kernel has `nosmp` enabled; this disables support for parallel CPUs")
	}

	if linux_kernel_command_line_parameters.maxcpus() == Some(0)
	{
		return Err("Kernel has `maxcpus=0`; this disables support for parallel CPUs")
	}

	#[cfg(any(target_arch = "aarch64", target_arch = "x86_64"))]
	{
		match linux_kernel_command_line_parameters.acpi()
		{
			Some(b"off") => return Err("Kernel has `acpi=off`"),

			_ => (),
		}
	}

	#[cfg(target_arch = "x86_64")]
	{
		if linux_kernel_command_line_parameters.noapic()
		{
			return Err("Kernel has `noapic` enabled")
		}

		if linux_kernel_command_line_parameters.disableapic()
		{
			return Err("Kernel has `disableapic` enabled")
		}

		if linux_kernel_command_line_parameters.nolapic()
		{
			return Err("Kernel has `nolapic` enabled")
		}

		if linux_kernel_command_line_parameters.noapictimer()
		{
			return Err("Kernel has `noapictimer` enabled")
		}

		if linux_kernel_command_line_parameters.nospectre_v2()
		{
			return Err("Kernel has `nospectre_v2` enabled; this is wrong")
		}

		if let Some(mitigation) = linux_kernel_command_line_parameters.spectre_v2()
		{
			match mitigation
			{
				b"on" | b"auto" | b"retpoline" | b"retpoline,amd" => (),

				b"retpoline,google" => return Err("Kernel has `spectre_v2=retpoline,google`; this is probably not the best choice"),

				b"off" => return Err("Kernel spectre_v2 mitigation has been disabled; this is wrong"),

				_ => return Err("Kernel spectre_v2 mitigation not recognised"),
			}
		}

		if let Some(pci_parameters) = linux_kernel_command_line_parameters.pci()
		{
			if pci_parameters.contains(&b"off"[..])
			{
				return Err("Kernel has PCI disabled")
			}

			if pci_parameters.contains(&b"noacpi"[..])
			{
				return Err("Kernel has PCI noacpi")
			}
		}

		match linux_kernel_command_line_parameters.numa()
		{
			None => (),

			Some((b"off", None)) => return Err("Kernel should not have NUMA disabled; we need it to work correctly"),

			Some((b"noacpi", None)) => return Err("Kernel should not have NUMA 'acpi' disabled; we need it to work correctly"),

			Some((b"fake", Some(_))) => return Err("Kernel should not have fake NUMA nodes; they do not have correctly assigned CPUs"),

			_ => return Err("Unrecognised Kernel NUMA options"),
		}

		if linux_kernel_command_line_parameters.nohugeiomap()
		{
			return Err("Kernel has `nohugeiomap` enabled; this disables huge pages for IO")
		}

		if linux_kernel_command_line_parameters.notsc()
		{
			return Err("Kernel has `notsc` enabled; this disables support for the Time Stamp Counter, TSC")
		}

		if linux_kernel_command_line_parameters.nohpet()
		{
			return Err("Kernel has `nohpet` enabled; this disables support for the High Precision Event Timer, HPET")
		}

		if let Some(hpet_mmap_enabled) = linux_kernel_command_line_parameters.hpet_mmap()
		{
			if !hpet_mmap_enabled
			{
				return Err("Kernel has `hpet_mmap=0`, ie hpet is disabled; this disables support for the High Precision Event Timer, HPET")
			}
		}

		if linux_kernel_command_line_parameters.nopat()
		{
			return Err("Kernel has `nopat` enabled; this isn't useful")
		}

		if let Some(noexec_enabled) = linux_kernel_command_line_parameters.noexec()
		{
			if !noexec_enabled
			{
				return Err("Kernel has `noexec=off`, ie non-executable mappings are disabled")
			}
		}

		if let Some(vdso_enabled) = linux_kernel_command_line_parameters.vdso()
		{
			if !vdso_enabled
			{
				return Err("Kernel has `vdso=0`, ie vdso is disabled; this negatively impacts performance")
			}
		}

		if let Some(vdso32_enabled) = linux_kernel_command_line_parameters.vdso32()
		{
			if !vdso32_enabled
			{
				return Err("Kernel has `vdso32=0`, ie vdso is disabled; this negatively impacts performance")
			}
		}

		if linux_kernel_command_line_parameters.noinvpcid()
		{
			return Err("Kernel has `noinvpcid` enabled; this isn't useful")
		}
	}

	#[cfg(target_arch = "x86_64")]
	{
		if linux_kernel_command_line_parameters.nopti()
		{
			return Err("Kernel has `nopti` enabled; this is wrong")
		}

		if let Some(mitigation) = linux_kernel_command_line_parameters.pti()
		{
			match mitigation
			{
				b"on" | b"auto" => (),

				b"off" => return Err("Kernel Control Page Table Isolation (pti) mitigation has been disabled"),

				_ => return Err("Kernel Control Page Table Isolation (pti) mitigation not recognised"),
			}
		}

		match linux_kernel_command_line_parameters.vsyscall()
		{
			None => return Err("Kernel vsyscall mitigation should be disabled with `vsycall=none`"),

			Some(b"none") => (),

			Some(b"emulate") => return Err("Kernel vsyscall should be disabled with `vsycall=none` not `vsyscall=emulate`"),

			Some(b"native") => return Err("Kernel vsyscall mitigration has been disabled; this is wrong"),

			_ => return Err("Kernel vsyscall mitigation not recognised"),
		}

		if linux_kernel_command_line_parameters.nopcid()
		{
			return Err("Kernel has `nopcid` enabled; this isn't useful")
		}

		match linux_kernel_command_line_parameters.numa_balancing()
		{
			None | Some(true) => return Err("Kernel has NUMA balancing enabled"),
			_ => (),
		}

		if linux_kernel_command_line_parameters.nox2apic()
		{
			return Err("Kernel has `nox2apic` enabled")
		}

		if let Some(noexec32_enabled) = linux_kernel_command_line_parameters.noexec32()
		{
			if !noexec32_enabled
			{
				return Err("Kernel has `noexec32=off`, ie non-executable mappings are disabled")
			}
		}
	}

	Ok(())
}