Use raw strings for regular expression

[kconfig-hardened-check.git] / kernel_hardening_checker / __init__.py

diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py
index 4d5aaca7989dde7572e8d10a5716bb2168ad44fe..6574e9b170a0cfb3022fa329a7a3f64d839e00c5 100644 (file)
--- a/kernel_hardening_checker/__init__.py
+++ b/kernel_hardening_checker/__init__.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 
 """
 This tool is for checking the security hardening options of the Linux kernel.
@@ -31,7 +31,7 @@ def _open(file: str, *args, **kwargs):
 
 def detect_arch(fname, archs):
     with _open(fname, 'rt', encoding='utf-8') as f:
-        arch_pattern = re.compile("CONFIG_[a-zA-Z0-9_]+=y$")
+        arch_pattern = re.compile(r"CONFIG_[a-zA-Z0-9_]+=y$")
         arch = None
         for line in f.readlines():
             if arch_pattern.match(line):
@@ -48,7 +48,7 @@ def detect_arch(fname, archs):
 
 def detect_kernel_version(fname):
     with _open(fname, 'rt', encoding='utf-8') as f:
-        ver_pattern = re.compile("# Linux/.+ Kernel Configuration$")
+        ver_pattern = re.compile(r"^# Linux/.+ Kernel Configuration$|^Linux version .+")
         for line in f.readlines():
             if ver_pattern.match(line):
                 line = line.strip()
@@ -152,8 +152,8 @@ def print_checklist(mode, checklist, with_results):
 
 def parse_kconfig_file(mode, parsed_options, fname):
     with _open(fname, 'rt', encoding='utf-8') as f:
-        opt_is_on = re.compile("CONFIG_[a-zA-Z0-9_]+=.+$")
-        opt_is_off = re.compile("# CONFIG_[a-zA-Z0-9_]+ is not set$")
+        opt_is_on = re.compile(r"CONFIG_[a-zA-Z0-9_]+=.+$")
+        opt_is_off = re.compile(r"# CONFIG_[a-zA-Z0-9_]+ is not set$")
 
         for line in f.readlines():
             line = line.strip()
@@ -201,7 +201,7 @@ def parse_cmdline_file(mode, parsed_options, fname):
 
 def parse_sysctl_file(mode, parsed_options, fname):
     with open(fname, 'r', encoding='utf-8') as f:
-        sysctl_pattern = re.compile("[a-zA-Z0-9/\._-]+ =.*$")
+        sysctl_pattern = re.compile(r"[a-zA-Z0-9/\._-]+ =.*$")
         for line in f.readlines():
             line = line.strip()
             if not sysctl_pattern.match(line):
@@ -241,6 +241,8 @@ def main():
                         help='check the security hardening options in the kernel cmdline file (contents of /proc/cmdline)')
     parser.add_argument('-s', '--sysctl',
                         help='check the security hardening options in the sysctl output file (`sudo sysctl -a > file`)')
+    parser.add_argument('-v', '--kernel-version',
+                        help='extract the version from the kernel version file (contents of /proc/version)')
     parser.add_argument('-p', '--print', choices=supported_archs,
                         help='print the security hardening recommendations for the selected microarchitecture')
     parser.add_argument('-g', '--generate', choices=supported_archs,
@@ -274,8 +276,13 @@ def main():
         if mode != 'json':
             print(f'[+] Detected microarchitecture: {arch}')
 
-        kernel_version, msg = detect_kernel_version(args.config)
+        if args.kernel_version:
+            kernel_version, msg = detect_kernel_version(args.kernel_version)
+        else:
+            kernel_version, msg = detect_kernel_version(args.config)
         if kernel_version is None:
+            if not args.kernel_version:
+                print('[!] Hint: provide the kernel version file through --kernel-version option')
             sys.exit(f'[!] ERROR: {msg}')
         if mode != 'json':
             print(f'[+] Detected kernel version: {kernel_version[0]}.{kernel_version[1]}')