security-misc/debian/security-misc.config

#!/bin/bash

## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
   source /usr/libexec/helper-scripts/pre.bsh
fi

source /usr/share/debconf/confmodule

set -e

## Not set by DPKG for '.config' script.
DPKG_MAINTSCRIPT_PACKAGE="security-misc"
DPKG_MAINTSCRIPT_NAME="config"

true "
#####################################################################
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
#####################################################################
"

## Code duplication.
## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient.
## Therefore the code is duplicated here.
## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh
pkg_installed() {
   local package_name dpkg_query_output
   local requested_action status error_state

   package_name="$1"
   ## Cannot use '&>' because it is a bashism.
   dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true
   ## dpkg_query_output Exampels:
   ## install ok half-configured
   ## install ok installed

   requested_action=$(echo "$dpkg_query_output" | awk '{print $1}')
   status=$(echo "$dpkg_query_output" | awk '{print $2}')
   error_state=$(echo "$dpkg_query_output" | awk '{print $3}')

   if [ "$requested_action" = 'install' ]; then
      true "$0: INFO: $package_name is installed, ok."
      return 0
   fi

   true "$0: INFO: $package_name is not installed, ok."
   return 1
}

check_migrate_permission_hardener_state() {
   local pkg_list modified_pkg_data_str custom_hardening_arr config_file

   ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
   if [ ! -d '/var/lib/permission-hardener' ]; then
      return 0
   fi

   local orig_hardening_arr custom_hardening_arr config_file custom_config_file
   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
     return 0
   fi
   mkdir --parents '/var/lib/security-misc/do_once'

   orig_hardening_arr=(
      '/usr/lib/permission-hardener.d/25_default_passwd.conf'
      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
      '/usr/lib/permission-hardener.d/30_ping.conf'
      '/usr/lib/permission-hardener.d/30_default.conf'
      '/etc/permission-hardener.d/25_default_passwd.conf'
      '/etc/permission-hardener.d/25_default_sudo.conf'
      '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
      '/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
      '/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
      '/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
      '/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
      '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
      '/etc/permission-hardener.d/25_default_whitelist_mount.conf'
      '/etc/permission-hardener.d/25_default_whitelist_pam.conf'
      '/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
      '/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
      '/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
      '/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
      '/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
      '/etc/permission-hardener.d/25_default_whitelist_spice.conf'
      '/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
      '/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
      '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
      '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
      '/etc/permission-hardener.d/20_user-sysmaint-split.conf'
      '/etc/permission-hardener.d/30_ping.conf'
      '/etc/permission-hardener.d/30_default.conf'
   )

   pkg_list=( "security-misc" )
   if pkg_installed user-sysmaint-split ; then
      pkg_list+=( "user-sysmaint-split" )
   fi
   if pkg_installed anon-apps-config ; then
      pkg_list+=( "anon-apps-config" )
   fi

   ## This will exit non-zero if some of the packages don't exist, but we
   ## don't care. The packages that *are* installed will still be scanned.
   modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true

   ## Example modified_pkg_data_str:
   #modified_pkg_data_str='missing     /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'

   readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")

   ## If the above `dpkg --verify` command doesn't return any permission-hardener
   ## related lines, the array will contain no meaningful info, just a single
   ## blank element at the start. Set the array to be explicitly empty in
   ## this scenario.
   if [ -z "${custom_hardening_arr[0]}" ]; then
      custom_hardening_arr=()
   fi

   for config_file in \
      /usr/lib/permission-hardener.d/*.conf \
      /etc/permission-hardener.d/*.conf \
      /usr/local/etc/permission-hardener.d/*.conf \
      /etc/permission-hardening.d/*.conf \
      /usr/local/etc/permission-hardening.d/*.conf
   do
      # shellcheck disable=SC2076
      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
         if [ -f "${config_file}" ]; then
            custom_hardening_arr+=( "${config_file}" )
         fi
      fi
   done

   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
      for custom_config_file in "${custom_hardening_arr[@]}"; do
         if ! test -e "${custom_config_file}" ; then
            echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'"
         else
            echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'"
         fi
      done
      ## db_input will return code 30 if the message won't be displayed, which
      ## causes a non-interactive install to error out if you don't use || true
      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
      ## db_go can return code 30 too in some instances, we don't care here
      # shellcheck disable=SC2119
      db_go || true
   fi

   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}

check_migrate_permission_hardener_state

true "INFO: debhelper beginning here."

#DEBHELPER#

true "INFO: Done with debhelper."

true "
#####################################################################
## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
#####################################################################
"

## Explicitly "exit 0", so eventually trapped errors can be ignored.
exit 0
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`#!/bin/bash`

			`## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>`
			`## See the file COPYING for copying conditions.`

use pre.bsh 2025-01-14 09:07:32 -05:00			`if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then`
			`source /usr/libexec/helper-scripts/pre.bsh`
			`fi`

Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`source /usr/share/debconf/confmodule`

Add a forgotten set -e 2025-01-12 20:40:41 -06:00			`set -e`

output 2025-01-14 09:30:46 -05:00			`## Not set by DPKG for '.config' script.`
			`DPKG_MAINTSCRIPT_PACKAGE="security-misc"`
			`DPKG_MAINTSCRIPT_NAME="config"`

debhelper 2025-01-14 09:16:25 -05:00			`true "`
			`#####################################################################`
			`## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*`
			`#####################################################################`
			`"`

comment 2025-01-17 07:55:54 -05:00			`## Code duplication.`
			`## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient.`
			`## Therefore the code is duplicated here.`
			`## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh`
Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst 2025-01-15 19:10:41 -06:00			`pkg_installed() {`
			`local package_name dpkg_query_output`
			`local requested_action status error_state`

			`package_name="$1"`
			`## Cannot use '&>' because it is a bashism.`
			`dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" \|\| true`
			`## dpkg_query_output Exampels:`
			`## install ok half-configured`
			`## install ok installed`

			`requested_action=$(echo "$dpkg_query_output" \| awk '{print $1}')`
			`status=$(echo "$dpkg_query_output" \| awk '{print $2}')`
			`error_state=$(echo "$dpkg_query_output" \| awk '{print $3}')`

			`if [ "$requested_action" = 'install' ]; then`
			`true "$0: INFO: $package_name is installed, ok."`
			`return 0`
			`fi`

			`true "$0: INFO: $package_name is not installed, ok."`
			`return 1`
			`}`

Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`check_migrate_permission_hardener_state() {`
improve permission hardener migration code 2025-01-15 09:44:48 -05:00			`local pkg_list modified_pkg_data_str custom_hardening_arr config_file`
Avoid scanning unnecessary packages for modified permission-hardener config 2025-01-14 18:50:24 -06:00
refactoring 2025-01-14 03:19:21 -05:00			`## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.`
fix 2025-01-14 08:53:38 -05:00			`if [ ! -d '/var/lib/permission-hardener' ]; then`
refactoring 2025-01-14 03:17:00 -05:00			`return 0`
			`fi`

Fix minor migration bugs, don't run the migration code on new image builds 2025-01-13 21:57:10 -06:00			`local orig_hardening_arr custom_hardening_arr config_file custom_config_file`
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then`
			`return 0`
			`fi`
			`mkdir --parents '/var/lib/security-misc/do_once'`

refactoring 2025-01-14 03:17:00 -05:00			`orig_hardening_arr=(`
			`'/usr/lib/permission-hardener.d/25_default_passwd.conf'`
			`'/usr/lib/permission-hardener.d/25_default_sudo.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'`
			`'/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'`
			`'/usr/lib/permission-hardener.d/30_ping.conf'`
			`'/usr/lib/permission-hardener.d/30_default.conf'`
			`'/etc/permission-hardener.d/25_default_passwd.conf'`
			`'/etc/permission-hardener.d/25_default_sudo.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_chromium.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_dbus.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_firejail.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_fuse.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_mount.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_pam.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_passwd.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_policykit.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_postfix.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_qubes.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_selinux.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_spice.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_ssh.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_sudo.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'`
			`'/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'`
			`'/etc/permission-hardener.d/20_user-sysmaint-split.conf'`
			`'/etc/permission-hardener.d/30_ping.conf'`
			`'/etc/permission-hardener.d/30_default.conf'`
			`)`
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00
Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst 2025-01-15 19:10:41 -06:00			`pkg_list=( "security-misc" )`
improve permission hardener migration code 2025-01-15 09:44:48 -05:00			`if pkg_installed user-sysmaint-split ; then`
Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst 2025-01-15 19:10:41 -06:00			`pkg_list+=( "user-sysmaint-split" )`
improve permission hardener migration code 2025-01-15 09:44:48 -05:00			`fi`
			`if pkg_installed anon-apps-config ; then`
Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst 2025-01-15 19:10:41 -06:00			`pkg_list+=( "anon-apps-config" )`
improve permission hardener migration code 2025-01-15 09:44:48 -05:00			`fi`

Avoid scanning unnecessary packages for modified permission-hardener config 2025-01-14 18:50:24 -06:00			`## This will exit non-zero if some of the packages don't exist, but we`
			`## don't care. The packages that are installed will still be scanned.`
Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst 2025-01-15 19:10:41 -06:00			`modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" \|\| true`
improve permission hardener migration code 2025-01-15 09:44:48 -05:00
			`## Example modified_pkg_data_str:`
			`#modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'`

Avoid scanning unnecessary packages for modified permission-hardener config 2025-01-14 18:50:24 -06:00			`readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")`
improve permission hardener migration code 2025-01-15 09:44:48 -05:00
			## If the above `dpkg --verify` command doesn't return any permission-hardener
refactoring 2025-01-14 03:17:00 -05:00			`## related lines, the array will contain no meaningful info, just a single`
			`## blank element at the start. Set the array to be explicitly empty in`
			`## this scenario.`
			`if [ -z "${custom_hardening_arr[0]}" ]; then`
			`custom_hardening_arr=()`
			`fi`
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00
refactoring 2025-01-14 03:17:00 -05:00			`for config_file in \`
			`/usr/lib/permission-hardener.d/*.conf \`
			`/etc/permission-hardener.d/*.conf \`
			`/usr/local/etc/permission-hardener.d/*.conf \`
			`/etc/permission-hardening.d/*.conf \`
			`/usr/local/etc/permission-hardening.d/*.conf`
			`do`
			`# shellcheck disable=SC2076`
			`if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then`
			`if [ -f "${config_file}" ]; then`
			`custom_hardening_arr+=( "${config_file}" )`
Fix minor migration bugs, don't run the migration code on new image builds 2025-01-13 21:57:10 -06:00			`fi`
			`fi`
refactoring 2025-01-14 03:17:00 -05:00			`done`
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00
refactoring 2025-01-14 03:17:00 -05:00			`if [ "${#custom_hardening_arr[@]}" != '0' ]; then`
			`for custom_config_file in "${custom_hardening_arr[@]}"; do`
improve permission hardener migration code 2025-01-15 09:44:48 -05:00			`if ! test -e "${custom_config_file}" ; then`
			`echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'"`
			`else`
			`echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'"`
			`fi`
refactoring 2025-01-14 03:17:00 -05:00			`done`
			`## db_input will return code 30 if the message won't be displayed, which`
			`## causes a non-interactive install to error out if you don't use \|\| true`
			`db_input critical security-misc/alert-on-permission-hardener-v2-upgrade \|\| true`
			`## db_go can return code 30 too in some instances, we don't care here`
			`# shellcheck disable=SC2119`
			`db_go \|\| true`
Fix minor migration bugs, don't run the migration code on new image builds 2025-01-13 21:57:10 -06:00			`fi`
refactoring 2025-01-14 03:17:00 -05:00
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"`
			`}`

Add a forgotten set -e 2025-01-12 20:40:41 -06:00			`check_migrate_permission_hardener_state`
debhelper 2025-01-14 09:16:25 -05:00
			`true "INFO: debhelper beginning here."`

			`#DEBHELPER#`

			`true "INFO: Done with debhelper."`

			`true "`
			`#####################################################################`
			`## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*`
			`#####################################################################`
			`"`

			`## Explicitly "exit 0", so eventually trapped errors can be ignored.`
			`exit 0`