Enable smooth migration from permission-hardener-v1 to permission-hardener-v2

2025-02-13 04:51:33 -05:00 · 2025-01-12 19:34:41 -06:00 · 2025-01-12 19:34:41 -06:00 · 07786de039
commit 07786de039
parent de1f31e3df
6 changed files with 167 additions and 4 deletions
--- a/debian/control
+++ b/debian/control
@ -8,7 +8,8 @@ Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
 Build-Depends: config-package-dev,
               debhelper (>= 13),
               debhelper-compat (= 13),
-               dh-apparmor
+               dh-apparmor,
+               po-debconf
 Homepage: https://www.kicksecure.com/wiki/Security-misc
 Vcs-Browser: https://github.com/Kicksecure/security-misc
 Vcs-Git: https://github.com/Kicksecure/security-misc.git
--- a/debian/po/POTFILES.in
+++ b/debian/po/POTFILES.in
@ -0,0 +1 @@
+[type: gettext/rfc822deb] security-misc.templates
--- a/debian/po/templates.pot
+++ b/debian/po/templates.pot
@ -0,0 +1,34 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the security-misc package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: security-misc\n"
+"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n"
+"POT-Creation-Date: 2025-01-12 19:28-0600\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid "Manual intervention may be required for permission-hardener update"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid ""
+"permission-hardener is being updated to correct a bug that caused state file "
+"corruption. If you installed your own custom permission-hardener "
+"configuration, some manual intervention may be required. See https://www."
+"kicksecure.com/wiki/Permission-hardener#Fixing_state_files"
+msgstr ""
--- a/debian/security-misc.config
+++ b/debian/security-misc.config
@ -0,0 +1,64 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+source /usr/share/debconf/confmodule
+
+check_migrate_permission_hardener_state() {
+   local orig_hardening_arr custom_hardening_arr config_file
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   # TODO: Is there some way to autogenerate this list at runtime?
+   orig_hardening_arr=(
+      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+      '/usr/lib/permission-hardener.d/30_ping.conf'
+      '/usr/lib/permission-hardener.d/30_default.conf'
+   )
+   readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+
+   for config_file in \
+      /usr/lib/permission-hardener.d/*.conf \
+      /etc/permission-hardener.d/*.conf \
+      /usr/local/etc/permission-hardener.d/*.conf \
+      /etc/permission-hardening.d/*.conf \
+      /usr/local/etc/permission-hardening.d/*.conf
+   do
+      # shellcheck disable=SC2076
+      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
+         custom_hardening_arr+=( "${config_file}" )
+      fi
+   done
+
+   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
+      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade
+      # shellcheck disable=SC2119
+      db_go
+   fi
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
+check_migrate_permission_hardener_state
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@ -7,11 +7,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
   source /usr/libexec/helper-scripts/pre.bsh
 fi

+## Required since this package uses debconf - this is mandatory even though
+## the postinst itself does not use debconf commands.
+source /usr/share/debconf/confmodule
+
 set -e

 true "
 #####################################################################
-## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "

@ -33,6 +37,55 @@ permission_hardening() {
    echo "$0: INFO: Permission hardening success."
 }

+migrate_permission_hardener_state() {
+   local v2_state_file
+
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   ## This has to be stored in the postinst rather than installed by the
+   ## package, because permission-hardener *will* change it and we *cannot*
+   ## allow future package updates to overwrite it.
+   v2_state_file="root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 755 /bin/ping
+root root 777 /etc/motd
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/bin/chsh
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 755 /etc/permission-hardener.d
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 777 /etc/issue
+root root 755 /etc/cron.d"
+
+   ## Not using sponge since moreutils might not be installed at this point.
+   mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
+   echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride'
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
 case "$1" in
    configure)
        if [ -d /etc/skel/.gnupg ]; then
@ -45,13 +98,16 @@ case "$1" in

        ## state dir for faillock
        mkdir -p /var/lib/security-misc/faillock
+
+        ## migrate permission_hardener state to v2 if applicable
+        migrate_permission_hardener_state
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    triggered)
-      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
+      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
      /usr/share/security-misc/lkrg/lkrg-virtualbox || true
      /usr/libexec/security-misc/mmap-rnd-bits || true
      permission_hardening
@ -94,7 +150,7 @@ permission_hardening_legacy_config_folder

 true "
 #####################################################################
-## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "

--- a/debian/security-misc.templates
+++ b/debian/security-misc.templates
@ -0,0 +1,7 @@
+Template: security-misc/alert-on-permission-hardener-v2-upgrade
+Type: note
+_Description: Manual intervention may be required for permission-hardener update
+ permission-hardener is being updated to correct a bug that caused state file
+ corruption. If you installed your own custom permission-hardener configuration,
+ some manual intervention may be required. See
+ https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files
				`@ -0,0 +1 @@`
				`[type: gettext/rfc822deb] security-misc.templates`