Merge branch 'master' into docs

2025-11-27 16:40:53 -05:00 · 2025-11-10 00:20:48 +11:00 · 2025-11-10 00:20:48 +11:00 · 0aa0b67df6
commit 0aa0b67df6
parent a46f678c7f 0939883f0b
7 changed files with 113 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -52,10 +52,9 @@ configuration file and significant hardening is applied to a myriad of component
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
  risk and impact of denial-of-service attacks and both cold and warm boot attacks.
- Force immediate kernel panic on OOM (out of memory) which the above setting will force
+- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen
-  an immediate system reboot, as opposed to placing any reliance on the oom_killer to
+  locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts
-  avoid arbitrarily terminating security features based on their OOM score. Note this creates
+  running out of memory.
  the risk of userspace-based denial-of-service attacks that maliciously fill memory.
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
@ -580,8 +579,8 @@ See:
 - `/etc/systemd/system/emergency.service.d/override.conf`
 - `/etc/systemd/system/rescue.service.d/override.conf`
-Adverse security effects can be prevented by setting up BIOS password
+Adverse security effects can be prevented by setting up [BIOS Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#BIOS_Password)
-protection, GRUB password protection, and/or full disk encryption.
+protection, [Bootloader Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Bootloader_Password) protection, and/or [Full Disk Encryption (FDE)](https://www.kicksecure.com/wiki/Full_Disk_Encryption).
 ## Console lockdown
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,72 @@
 commit 039141188558931b73a9b5897ea3422bbb201dad
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Nov 9 05:47:00 2025 -0500
    revert Force immediate kernel panic on OOM.
    https://github.com/Kicksecure/security-misc/issues/324#issuecomment-3507949741
 commit 26b96ce2800e794104e6d3c113c3c2c121795b39
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Nov 9 08:12:42 2025 +0000
    bumped changelog version
 commit 1ef974300a157235da6a6c4d1379b62acf0c4c61
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Nov 8 04:00:47 2025 -0500
    readme
 commit 48ce12eba38aec099b4afe42e4d42b1d41dcb97f
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Nov 8 07:44:43 2025 +0000
    bumped changelog version
 commit 69419357e1bb2d0842ecd5db3e42bcaa011f5c11
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Nov 8 02:42:25 2025 -0500
    genmkfile debinstfile
 commit d50e6afc8fb0a925e07fc54b7ecc1f450d9aa176
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Nov 8 01:34:32 2025 -0500
    sanity test
 commit 12679608428e6927da480ca721b34bab75108687
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Nov 8 01:32:45 2025 -0500
    comments
 commit 1e48886c7e77fa7bccfdee3cca6f0fbdba74e4a1
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Nov 8 01:31:02 2025 -0500
    long option name
 commit d6c949c791bcc2c76b4f2e81eb0ffd370f8f1a37
 Merge: 5b97e7bd fa32ba6c
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Nov 8 01:29:48 2025 -0500
    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
 commit fa32ba6c4fccf35111f85ec3819e718963359d7c
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Fri Nov 7 17:09:22 2025 -0600
    Suppress usbguard startup unless a USB controller is visible to lspci
 commit 5b97e7bd277038b3b04c80a78ce05bb52277d4f6
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Nov 2 11:41:51 2025 +0000
    bumped changelog version
 commit 58d5f738e63d4c18048fab4e2fd134d68722d0fd
 Merge: 5121f80f 7beb19b6
 Author: Patrick Schleizer <adrelanos@whonix.org>
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,21 @@
 security-misc (3:49.7-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 09 Nov 2025 10:47:45 +0000
 security-misc (3:49.6-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 09 Nov 2025 08:12:41 +0000
 security-misc (3:49.5-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 08 Nov 2025 07:44:43 +0000
 security-misc (3:49.4-1) unstable; urgency=medium
  * New upstream version (local package).
--- a/debian/security-misc-shared.install
+++ b/debian/security-misc-shared.install
@ -50,6 +50,7 @@ usr/libexec/security-misc/pam-info#security-misc-shared => /usr/libexec/security
 usr/libexec/security-misc/permission-lockdown#security-misc-shared => /usr/libexec/security-misc/permission-lockdown
 usr/libexec/security-misc/pam_only_if_su#security-misc-shared => /usr/libexec/security-misc/pam_only_if_su
 usr/libexec/security-misc/remove-system.map#security-misc-shared => /usr/libexec/security-misc/remove-system.map
 usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller
 usr/libexec/security-misc/pam_only_if_login#security-misc-shared => /usr/libexec/security-misc/pam_only_if_login
 usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => /usr/libexec/security-misc/disable-kernel-module-loading
 usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@ -210,8 +210,9 @@ kernel.perf_event_paranoid=3
 ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14
 ## https://github.com/KSPP/kspp.github.io/issues/9
 ## https://github.com/Kicksecure/security-misc/issues/324
 ## Needs more work.
 ##
-vm.panic_on_oom=2
+#vm.panic_on_oom=2
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
--- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared
+++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared
@ -3,3 +3,4 @@
 [Unit]
 ConditionPathExists=/sys/bus/usb
 ExecCondition=/usr/libexec/security-misc/check-for-usb-controller
--- a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared
+++ b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared
@ -0,0 +1,17 @@
 #!/bin/bash
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 set -e
 export LC_ALL='C'
 ## Package 'pciutils' provides tool 'lspci'.
 command -v lspci &>/dev/null
 if lspci | grep --quiet '^[^ ]* USB controller: '; then
  exit 0
 fi
 exit 1