fix: move custom kicksecure settings to dev state

Fixes: https://github.com/ben-grande/qusal/issues/12 Fixes: https://github.com/ben-grande/qusal/issues/14 Fixes: https://github.com/ben-grande/qusal/issues/15
2025-03-29 10:28:15 -04:00 · 2024-02-02 09:57:19 +01:00 · 2024-02-02 09:57:19 +01:00 · 76c9cd00ad
commit 76c9cd00ad
parent 4596198037
3 changed files with 46 additions and 20 deletions
--- a/salt/kicksecure-minimal/README.md
+++ b/salt/kicksecure-minimal/README.md
@ -42,3 +42,27 @@ qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-mini
 ## Usage
 AppVMs and StandaloneVMs can be based on this template.
 ### Kicksecure Developers
 This is intended for Kicksecure Developers to test known to be broken
 hardening measures. It is not intended for other developers or users.
 After you have ran the developers SaltFile, when reporting bugs upstream,
 share the following information of the customizations made by this formula:
 - `hardened-malloc`:
 ```
 libhardened_malloc.so
 ```
 - `hide-hardware-info`:
 ```
 sysfs_whitelist=0
 cpuionfo_whitelist=0
 ```
 - `permission-hardener`:
 ```
 whitelists_disable_all=true
 ```
--- a/salt/kicksecure-minimal/install-developers.sls
+++ b/salt/kicksecure-minimal/install-developers.sls
@ -24,6 +24,28 @@ include:
      - lkrg
      - tirdad
 ## Breaks browsers.
 "{{ slsdotpath }}-hardened-malloc-preload":
  file.managed:
    - require:
      - pkg: "{{ slsdotpath }}-installed"
    - name: /etc/ld.so.preload
    - source: salt://{{ slsdotpath }}/files/template/ld.so.preload
    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 ## Does not break (maybe), present here because it is not the default.
 "{{ slsdotpath }}-permission-hardener-conf":
  file.managed:
    - name: /etc/permission-hardener.d/40_qusal.conf
    - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
    - mode: '0600'
    - user: root
    - group: root
    - makedirs: True
 ## Breaks systemd service qubes-gui-agent
 "{{ slsdotpath }}-proc-hidepid-enabled":
  service.enabled:
--- a/salt/kicksecure-minimal/install.sls
+++ b/salt/kicksecure-minimal/install.sls
@ -43,26 +43,6 @@ include:
    - regex: "^\s*deb"
    - ignore_missing: True
 "{{ slsdotpath }}-permission-hardener-conf":
  file.managed:
    - name: /etc/permission-hardener.d/40_qusal.conf
    - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
    - mode: '0600'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-hardened-malloc-preload":
  file.managed:
    - require:
      - pkg: "{{ slsdotpath }}-installed"
    - name: /etc/ld.so.preload
    - source: salt://{{ slsdotpath }}/files/template/ld.so.preload
    - mode: '0644'
    - user: root
    - group: root
    - makedirs: True
 "{{ slsdotpath }}-distribution-kernel":
  cmd.run:
    - require: