fix: move custom kicksecure settings to dev state

Fixes: https://github.com/ben-grande/qusal/issues/12 Fixes: https://github.com/ben-grande/qusal/issues/14 Fixes: https://github.com/ben-grande/qusal/issues/15
2025-04-05 05:46:01 -04:00 · 2024-02-02 09:57:19 +01:00 · 2024-02-02 09:57:19 +01:00 · 9ee9b048e3
commit 9ee9b048e3
parent 4b87d937df
3 changed files with 46 additions and 20 deletions
--- a/salt/kicksecure-minimal/README.md
+++ b/salt/kicksecure-minimal/README.md
@ -42,3 +42,27 @@ qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-mini
 ## Usage

 AppVMs and StandaloneVMs can be based on this template.
+
+### Kicksecure Developers
+
+This is intended for Kicksecure Developers to test known to be broken
+hardening measures. It is not intended for other developers or users.
+
+After you have ran the developers SaltFile, when reporting bugs upstream,
+share the following information of the customizations made by this formula:
+
+- `hardened-malloc`:
+```
+libhardened_malloc.so
+```
+
+- `hide-hardware-info`:
+```
+sysfs_whitelist=0
+cpuionfo_whitelist=0
+```
+
+- `permission-hardener`:
+```
+whitelists_disable_all=true
+```
--- a/salt/kicksecure-minimal/install-developers.sls
+++ b/salt/kicksecure-minimal/install-developers.sls
@ -24,6 +24,28 @@ include:
      - lkrg
      - tirdad

+## Breaks browsers.
+"{{ slsdotpath }}-hardened-malloc-preload":
+  file.managed:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: /etc/ld.so.preload
+    - source: salt://{{ slsdotpath }}/files/template/ld.so.preload
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
+## Does not break (maybe), present here because it is not the default.
+"{{ slsdotpath }}-permission-hardener-conf":
+  file.managed:
+    - name: /etc/permission-hardener.d/40_qusal.conf
+    - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
+    - mode: '0600'
+    - user: root
+    - group: root
+    - makedirs: True
+
 ## Breaks systemd service qubes-gui-agent
 "{{ slsdotpath }}-proc-hidepid-enabled":
  service.enabled:
--- a/salt/kicksecure-minimal/install.sls
+++ b/salt/kicksecure-minimal/install.sls
@ -43,26 +43,6 @@ include:
    - regex: "^\s*deb"
    - ignore_missing: True

-"{{ slsdotpath }}-permission-hardener-conf":
-  file.managed:
-    - name: /etc/permission-hardener.d/40_qusal.conf
-    - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
-    - mode: '0600'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-hardened-malloc-preload":
-  file.managed:
-    - require:
-      - pkg: "{{ slsdotpath }}-installed"
-    - name: /etc/ld.so.preload
-    - source: salt://{{ slsdotpath }}/files/template/ld.so.preload
-    - mode: '0644'
-    - user: root
-    - group: root
-    - makedirs: True
-
 "{{ slsdotpath }}-distribution-kernel":
  cmd.run:
    - require: