Merge branch 'master' into docs

2025-11-27 03:08:00 -05:00 · 2025-11-10 00:20:48 +11:00 · 2025-11-10 00:20:48 +11:00 · 0aa0b67df6
commit 0aa0b67df6
parent a46f678c7f 0939883f0b
7 changed files with 113 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -52,10 +52,9 @@ configuration file and significant hardening is applied to a myriad of component
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
  risk and impact of denial-of-service attacks and both cold and warm boot attacks.

- Force immediate kernel panic on OOM (out of memory) which the above setting will force
-  an immediate system reboot, as opposed to placing any reliance on the oom_killer to
-  avoid arbitrarily terminating security features based on their OOM score. Note this creates
-  the risk of userspace-based denial-of-service attacks that maliciously fill memory.
+- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen
+  locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts
+  running out of memory.

 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

@ -580,8 +579,8 @@ See:
 - `/etc/systemd/system/emergency.service.d/override.conf`
 - `/etc/systemd/system/rescue.service.d/override.conf`

-Adverse security effects can be prevented by setting up BIOS password
-protection, GRUB password protection, and/or full disk encryption.
+Adverse security effects can be prevented by setting up [BIOS Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#BIOS_Password)
+protection, [Bootloader Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Bootloader_Password) protection, and/or [Full Disk Encryption (FDE)](https://www.kicksecure.com/wiki/Full_Disk_Encryption).

 ## Console lockdown

--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,72 @@
+commit 039141188558931b73a9b5897ea3422bbb201dad
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 9 05:47:00 2025 -0500
+
+    revert Force immediate kernel panic on OOM.
+    
+    https://github.com/Kicksecure/security-misc/issues/324#issuecomment-3507949741
+
+commit 26b96ce2800e794104e6d3c113c3c2c121795b39
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 9 08:12:42 2025 +0000
+
+    bumped changelog version
+
+commit 1ef974300a157235da6a6c4d1379b62acf0c4c61
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Nov 8 04:00:47 2025 -0500
+
+    readme
+
+commit 48ce12eba38aec099b4afe42e4d42b1d41dcb97f
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Nov 8 07:44:43 2025 +0000
+
+    bumped changelog version
+
+commit 69419357e1bb2d0842ecd5db3e42bcaa011f5c11
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Nov 8 02:42:25 2025 -0500
+
+    genmkfile debinstfile
+
+commit d50e6afc8fb0a925e07fc54b7ecc1f450d9aa176
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Nov 8 01:34:32 2025 -0500
+
+    sanity test
+
+commit 12679608428e6927da480ca721b34bab75108687
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Nov 8 01:32:45 2025 -0500
+
+    comments
+
+commit 1e48886c7e77fa7bccfdee3cca6f0fbdba74e4a1
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Nov 8 01:31:02 2025 -0500
+
+    long option name
+
+commit d6c949c791bcc2c76b4f2e81eb0ffd370f8f1a37
+Merge: 5b97e7bd fa32ba6c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Nov 8 01:29:48 2025 -0500
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
+
+commit fa32ba6c4fccf35111f85ec3819e718963359d7c
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Fri Nov 7 17:09:22 2025 -0600
+
+    Suppress usbguard startup unless a USB controller is visible to lspci
+
+commit 5b97e7bd277038b3b04c80a78ce05bb52277d4f6
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 2 11:41:51 2025 +0000
+
+    bumped changelog version
+
 commit 58d5f738e63d4c18048fab4e2fd134d68722d0fd
 Merge: 5121f80f 7beb19b6
 Author: Patrick Schleizer <adrelanos@whonix.org>
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,21 @@
+security-misc (3:49.7-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 09 Nov 2025 10:47:45 +0000
+
+security-misc (3:49.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 09 Nov 2025 08:12:41 +0000
+
+security-misc (3:49.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 08 Nov 2025 07:44:43 +0000
+
 security-misc (3:49.4-1) unstable; urgency=medium

  * New upstream version (local package).
--- a/debian/security-misc-shared.install
+++ b/debian/security-misc-shared.install
@ -50,6 +50,7 @@ usr/libexec/security-misc/pam-info#security-misc-shared => /usr/libexec/security
 usr/libexec/security-misc/permission-lockdown#security-misc-shared => /usr/libexec/security-misc/permission-lockdown
 usr/libexec/security-misc/pam_only_if_su#security-misc-shared => /usr/libexec/security-misc/pam_only_if_su
 usr/libexec/security-misc/remove-system.map#security-misc-shared => /usr/libexec/security-misc/remove-system.map
+usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller
 usr/libexec/security-misc/pam_only_if_login#security-misc-shared => /usr/libexec/security-misc/pam_only_if_login
 usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => /usr/libexec/security-misc/disable-kernel-module-loading
 usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@ -210,8 +210,9 @@ kernel.perf_event_paranoid=3
 ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14
 ## https://github.com/KSPP/kspp.github.io/issues/9
 ## https://github.com/Kicksecure/security-misc/issues/324
+## Needs more work.
 ##
-vm.panic_on_oom=2
+#vm.panic_on_oom=2

 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
--- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared
+++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared
@ -3,3 +3,4 @@

 [Unit]
 ConditionPathExists=/sys/bus/usb
+ExecCondition=/usr/libexec/security-misc/check-for-usb-controller
--- a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared
+++ b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared
@ -0,0 +1,17 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+set -e
+
+export LC_ALL='C'
+
+## Package 'pciutils' provides tool 'lspci'.
+command -v lspci &>/dev/null
+
+if lspci | grep --quiet '^[^ ]* USB controller: '; then
+  exit 0
+fi
+
+exit 1