security-misc/etc/permission-hardener.d/25_default_whitelist_qubes.conf

## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Please use "/etc/permission-hardener.d/20_user.conf" or
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.

## TODO: research
## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
##
## Qubes upstream security issue:
## qfile-unpacker allows unprivileged users in VMs to gain root privileges
## https://github.com/QubesOS/qubes-issues/issues/8633
##
## match both:
#/usr/lib/qubes/qfile-unpacker whitelist
#/lib/qubes/qfile-unpacker
qfile-unpacker matchwhitelist
Update copyright 2023-03-30 02:08:47 -04:00			`## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries 2020-12-01 04:28:15 -05:00			`## See the file COPYING for copying conditions.`

Rename file permission hardening script Hardener as the script is the agent that is hardening the file permissions. 2024-01-02 07:34:29 -05:00			`## Please use "/etc/permission-hardener.d/20_user.conf" or`
			`## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom`
simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries 2020-12-01 04:28:15 -05:00			`## configuration. When security-misc is updated, this file may be overwritten.`

			`## TODO: research`
			`## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c`
comments 2023-11-06 16:40:22 -05:00			`##`
			`## Qubes upstream security issue:`
			`## qfile-unpacker allows unprivileged users in VMs to gain root privileges`
exclude qfile-unpacker from permission hardener 2023-11-05 16:03:36 -05:00			`## https://github.com/QubesOS/qubes-issues/issues/8633`
comments 2023-11-06 16:40:22 -05:00			`##`
simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries 2020-12-01 04:28:15 -05:00			`## match both:`
			`#/usr/lib/qubes/qfile-unpacker whitelist`
			`#/lib/qubes/qfile-unpacker`
exclude qfile-unpacker from permission hardener 2023-11-05 16:03:36 -05:00			`qfile-unpacker matchwhitelist`