Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'

2025-11-26 18:16:29 -05:00 · 2025-08-27 04:28:25 -04:00 · 2025-08-27 04:28:25 -04:00 · 0a61107b5a
commit 0a61107b5a
parent ef458ce0d3 94ebb5c84c
12 changed files with 23 additions and 53 deletions
--- a/README.md
+++ b/README.md
@ -412,12 +412,13 @@ Miscellaneous modules:

  `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf`

- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
+- An initramfs hook used to set the sysctl values in `/etc/sysctl.conf` and
  `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
-  early as possible. This is implemented for `initramfs-tools` only because
+  early as possible. This was implemented for `initramfs-tools` only because
  this is not needed for `dracut` as `dracut` does that by default, at
  least on `systemd` enabled systems. Not researched for non-`systemd` systems
-  by the author of this part of the readme.
+  by the author of this part of the readme. This is no longer implemented for
+  `initramfs-tools` as `initramfs-tools` support has been deprecated.

 ## Network hardening

--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@ -89,6 +89,10 @@ case "$1" in

        ## migrate permission_hardener state to v2 if applicable
        migrate_permission_hardener_state
+
+        ## Fix usbguard config permissions, this seemingly can't be done
+        ## during the unpack stage
+        chmod 0600 /etc/usbguard/rules.d/30_security-misc.conf
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
--- a/etc/initramfs-tools/hooks/sysctl-initramfs
+++ b/etc/initramfs-tools/hooks/sysctl-initramfs
@ -1,21 +0,0 @@
-#!/bin/sh
-
-## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-set -e
-
-PREREQ=""
-prereqs()
-{
-        echo "$PREREQ"
-}
-case $1 in
-prereqs)
-       prereqs
-       exit 0
-       ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-copy_exec /usr/sbin/sysctl /usr/sbin
--- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
+++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
@ -1,26 +0,0 @@
-#!/bin/sh
-
-## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-PREREQ=""
-prereqs()
-{
-        echo "$PREREQ"
-}
-case $1 in
-prereqs)
-        prereqs
-        exit 0
-        ;;
-esac
-
-## Write to '/run/initramfs' folder.
-## https://forums.whonix.org/t/kernel-hardening/7296/435
-
-sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log"
-sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log"
-
-grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log"
-
-true
--- a/etc/profile.d/30_security-misc.sh
+++ b/etc/profile.d/30_security-misc.sh
@ -4,7 +4,7 @@
 ## See the file COPYING for copying conditions.

 if [ -z "$XDG_CONFIG_DIRS" ]; then
-   XDG_CONFIG_DIRS="/etc/xdg"
+   XDG_CONFIG_DIRS="/etc:/etc/xdg:/usr/share"
 fi
 if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then
   export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS"
--- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
@ -16,7 +16,7 @@
 ## relies solely on the calling user's UID and GID, though this could require
 ## further review.)
 ##
-## Without this, Xfce fails to start with a dbus-launch error.
+## Without this, LXQt fails to start with a dbus-launch error.
 ##
 ## TODO: audit pam-tmpdir-helper
 pam-tmpdir-helper matchwhitelist
--- a/usr/lib/systemd/system-preset/50-security-misc.preset
+++ b/usr/lib/systemd/system-preset/50-security-misc.preset
@ -26,3 +26,7 @@ disable ensure-shutdown-trigger.service

 ## TODO: Disabled due to bug: breaks ISO Live Mode Calamares installer
 disable emerg-shutdown.service
+
+## memlockd is needed by emerg-shutdown, but the service is not, the user can
+## enable this manually if desired.
+disable memlockd.service
--- a/usr/lib/systemd/system/emerg-shutdown.service
+++ b/usr/lib/systemd/system/emerg-shutdown.service
@ -10,6 +10,7 @@ Requires=systemd-udevd.service
 After=systemd-udevd.service
 Requires=local-fs.target
 After=local-fs.target
+ConditionPathExists=!/usr/share/qubes/marker-vm

 [Service]
 Type=notify
--- a/usr/lib/systemd/system/ensure-shutdown-trigger.service
+++ b/usr/lib/systemd/system/ensure-shutdown-trigger.service
@ -7,6 +7,7 @@
 [Unit]
 Description=Forcibly shut down the system if normal shutdown gets stuck (alternate trigger unit)
 Documentation=https://github.com/Kicksecure/security-misc
+ConditionPathExists=!/usr/share/qubes/marker-vm

 [Service]
 Type=oneshot
--- a/usr/lib/systemd/system/ensure-shutdown.service
+++ b/usr/lib/systemd/system/ensure-shutdown.service
@ -13,6 +13,7 @@ Requires=systemd-udevd.service
 After=systemd-udevd.service
 Wants=emerg-shutdown.service
 After=emerg-shutdown.service
+ConditionPathExists=!/usr/share/qubes/marker-vm

 [Service]
 Type=oneshot
--- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf
+++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf
@ -0,0 +1,5 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+ConditionPathExists=/sys/bus/usb
--- a/usr/share/security-misc/security-misc-memlockd.cfg
+++ b/usr/share/security-misc/security-misc-memlockd.cfg
@ -1,2 +1,2 @@
 # Lock systemd and all of its library dependencies into memory
-+/usr/bin/systemd
+/usr/lib/systemd/systemd