security-misc/debian/security-misc.config

#!/bin/bash

## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

source /usr/share/debconf/confmodule

set -e

check_migrate_permission_hardener_state() {
   local orig_hardening_arr custom_hardening_arr config_file
   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
     return 0
   fi
   mkdir --parents '/var/lib/security-misc/do_once'

   # TODO: Is there some way to autogenerate this list at runtime?
   orig_hardening_arr=(
      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
      '/usr/lib/permission-hardener.d/30_ping.conf'
      '/usr/lib/permission-hardener.d/30_default.conf'
   )
   readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')

   for config_file in \
      /usr/lib/permission-hardener.d/*.conf \
      /etc/permission-hardener.d/*.conf \
      /usr/local/etc/permission-hardener.d/*.conf \
      /etc/permission-hardening.d/*.conf \
      /usr/local/etc/permission-hardening.d/*.conf
   do
      # shellcheck disable=SC2076
      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
         custom_hardening_arr+=( "${config_file}" )
      fi
   done

   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
      ## db_input will return code 30 if the message won't be displayed, which
      ## causes a non-interactive install to error out if you don't use || true
      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
      ## db_go can return code 30 too in some instances, we don't care here
      # shellcheck disable=SC2119
      db_go || true
   fi

   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}

check_migrate_permission_hardener_state
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`#!/bin/bash`

			`## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>`
			`## See the file COPYING for copying conditions.`

			`source /usr/share/debconf/confmodule`

Add a forgotten set -e 2025-01-12 20:40:41 -06:00			`set -e`

Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`check_migrate_permission_hardener_state() {`
			`local orig_hardening_arr custom_hardening_arr config_file`
			`if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then`
			`return 0`
			`fi`
			`mkdir --parents '/var/lib/security-misc/do_once'`

			`# TODO: Is there some way to autogenerate this list at runtime?`
			`orig_hardening_arr=(`
			`'/usr/lib/permission-hardener.d/25_default_sudo.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'`
			`'/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'`
			`'/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'`
			`'/usr/lib/permission-hardener.d/30_ping.conf'`
			`'/usr/lib/permission-hardener.d/30_default.conf'`
			`)`
			`readarray -t custom_hardening_arr < <(dpkg -V \| awk '/permission-hardener.d/{ print $NF }')`

			`for config_file in \`
			`/usr/lib/permission-hardener.d/*.conf \`
			`/etc/permission-hardener.d/*.conf \`
			`/usr/local/etc/permission-hardener.d/*.conf \`
			`/etc/permission-hardening.d/*.conf \`
			`/usr/local/etc/permission-hardening.d/*.conf`
			`do`
			`# shellcheck disable=SC2076`
			`if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then`
			`custom_hardening_arr+=( "${config_file}" )`
			`fi`
			`done`

			`if [ "${#custom_hardening_arr[@]}" != '0' ]; then`
Prevent installation failures when installing non-interactively 2025-01-12 21:13:43 -06:00			`## db_input will return code 30 if the message won't be displayed, which`
			`## causes a non-interactive install to error out if you don't use \|\| true`
			`db_input critical security-misc/alert-on-permission-hardener-v2-upgrade \|\| true`
			`## db_go can return code 30 too in some instances, we don't care here`
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`# shellcheck disable=SC2119`
Prevent installation failures when installing non-interactively 2025-01-12 21:13:43 -06:00			`db_go \|\| true`
Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 2025-01-12 19:34:41 -06:00			`fi`

			`touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"`
			`}`

Add a forgotten set -e 2025-01-12 20:40:41 -06:00			`check_migrate_permission_hardener_state`