Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-06-07 09:42:43 -04:00
Code Issues Projects Releases Packages Wiki Activity

Enable smooth migration from permission-hardener-v1 to permission-hardener-v2

Browse source
This commit is contained in:
Aaron Rainbolt 2025-01-12 19:34:41 -06:00
parent de1f31e3df
commit 07786de039
No known key found for this signature in database
GPG key ID: A709160D73C79109
6 changed files with 167 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
debian/control vendored
View file

@ -8,7 +8,8 @@ Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
Build-Depends: config-package-dev, Build-Depends: config-package-dev,
debhelper (>= 13), debhelper (>= 13),
debhelper-compat (= 13), debhelper-compat (= 13),
dh-apparmor dh-apparmor,
po-debconf
Homepage: https://www.kicksecure.com/wiki/Security-misc Homepage: https://www.kicksecure.com/wiki/Security-misc
Vcs-Browser: https://github.com/Kicksecure/security-misc Vcs-Browser: https://github.com/Kicksecure/security-misc
Vcs-Git: https://github.com/Kicksecure/security-misc.git Vcs-Git: https://github.com/Kicksecure/security-misc.git

1
debian/po/POTFILES.in vendored Normal file
View file

@ -0,0 +1 @@
[type: gettext/rfc822deb] security-misc.templates

34
debian/po/templates.pot vendored Normal file
View file

@ -0,0 +1,34 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the security-misc package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: security-misc\n"
"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n"
"POT-Creation-Date: 2025-01-12 19:28-0600\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: note
#. Description
#: ../security-misc.templates:1001
msgid "Manual intervention may be required for permission-hardener update"
msgstr ""
#. Type: note
#. Description
#: ../security-misc.templates:1001
msgid ""
"permission-hardener is being updated to correct a bug that caused state file "
"corruption. If you installed your own custom permission-hardener "
"configuration, some manual intervention may be required. See https://www."
"kicksecure.com/wiki/Permission-hardener#Fixing_state_files"
msgstr ""

64
debian/security-misc.config vendored Normal file
View file

@ -0,0 +1,64 @@
#!/bin/bash
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
source /usr/share/debconf/confmodule
check_migrate_permission_hardener_state() {
local orig_hardening_arr custom_hardening_arr config_file
if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
return 0
fi
mkdir --parents '/var/lib/security-misc/do_once'
# TODO: Is there some way to autogenerate this list at runtime?
orig_hardening_arr=(
'/usr/lib/permission-hardener.d/25_default_sudo.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
'/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
'/usr/lib/permission-hardener.d/30_ping.conf'
'/usr/lib/permission-hardener.d/30_default.conf'
)
readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
for config_file in \
/usr/lib/permission-hardener.d/*.conf \
/etc/permission-hardener.d/*.conf \
/usr/local/etc/permission-hardener.d/*.conf \
/etc/permission-hardening.d/*.conf \
/usr/local/etc/permission-hardening.d/*.conf
do
# shellcheck disable=SC2076
if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
custom_hardening_arr+=( "${config_file}" )
fi
done
if [ "${#custom_hardening_arr[@]}" != '0' ]; then
db_input critical security-misc/alert-on-permission-hardener-v2-upgrade
# shellcheck disable=SC2119
db_go
fi
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}
check_migrate_permission_hardener_state

62
debian/security-misc.postinst vendored
View file

@ -7,11 +7,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
source /usr/libexec/helper-scripts/pre.bsh source /usr/libexec/helper-scripts/pre.bsh
fi fi
## Required since this package uses debconf - this is mandatory even though
## the postinst itself does not use debconf commands.
source /usr/share/debconf/confmodule
set -e set -e
true " true "
##################################################################### #####################################################################
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
##################################################################### #####################################################################
" "
@ -33,6 +37,55 @@ permission_hardening() {
echo "$0: INFO: Permission hardening success." echo "$0: INFO: Permission hardening success."
} }
migrate_permission_hardener_state() {
local v2_state_file
if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
return 0
fi
mkdir --parents '/var/lib/security-misc/do_once'
## This has to be stored in the postinst rather than installed by the
## package, because permission-hardener *will* change it and we *cannot*
## allow future package updates to overwrite it.
v2_state_file="root root 644 /etc/passwd-
root root 755 /etc/cron.monthly
root root 755 /etc/sudoers.d
root shadow 2755 /usr/bin/expiry
root root 4755 /usr/bin/umount
root root 4755 /usr/bin/gpasswd
root root 755 /usr/lib/modules
root root 644 /etc/issue.net
root root 644 /etc/group-
root root 4755 /usr/bin/newgrp
root root 755 /etc/cron.weekly
root root 644 /etc/hosts.deny
root root 4755 /usr/bin/su
root root 644 /etc/hosts.allow
root root 700 /root
root root 755 /etc/cron.daily
root root 755 /bin/ping
root root 777 /etc/motd
root root 755 /boot
root root 755 /home
root shadow 2755 /usr/bin/chage
root root 4755 /usr/bin/chsh
root root 4755 /usr/bin/passwd
root root 4755 /usr/bin/chfn
root root 644 /etc/group
root root 755 /etc/permission-hardener.d
root root 644 /etc/passwd
root root 755 /usr/src
root root 4755 /usr/bin/mount
root root 777 /etc/issue
root root 755 /etc/cron.d"
## Not using sponge since moreutils might not be installed at this point.
mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride'
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}
case "$1" in case "$1" in
configure) configure)
if [ -d /etc/skel/.gnupg ]; then if [ -d /etc/skel/.gnupg ]; then
@ -45,13 +98,16 @@ case "$1" in
## state dir for faillock ## state dir for faillock
mkdir -p /var/lib/security-misc/faillock mkdir -p /var/lib/security-misc/faillock
## migrate permission_hardener state to v2 if applicable
migrate_permission_hardener_state
;; ;;
abort-upgrade|abort-remove|abort-deconfigure) abort-upgrade|abort-remove|abort-deconfigure)
;; ;;
triggered) triggered)
echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
/usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/share/security-misc/lkrg/lkrg-virtualbox || true
/usr/libexec/security-misc/mmap-rnd-bits || true /usr/libexec/security-misc/mmap-rnd-bits || true
permission_hardening permission_hardening
@ -94,7 +150,7 @@ permission_hardening_legacy_config_folder
true " true "
##################################################################### #####################################################################
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
##################################################################### #####################################################################
" "

7
debian/security-misc.templates vendored Normal file
View file

@ -0,0 +1,7 @@
Template: security-misc/alert-on-permission-hardener-v2-upgrade
Type: note
_Description: Manual intervention may be required for permission-hardener update
permission-hardener is being updated to correct a bug that caused state file
corruption. If you installed your own custom permission-hardener configuration,
some manual intervention may be required. See
https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files