usrmerge

fixes https://github.com/Kicksecure/security-misc/issues/190

usr/bin/disabled-bluetooth-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-cdrom-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-filesys-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-firewire-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-intelme-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-msr-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-netfilesys-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-network-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-thunderbolt-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/disabled-vivid-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

usr/bin/permission-hardener

@@ -221,7 +221,7 @@ add_nosuid_statoverride_entry() {
     # shellcheck disable=SC2086
     echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
 
-    ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
+    ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'.
     ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
     ## https://forums.whonix.org/t/disable-suid-binaries/7706/17
   done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {})

usr/lib/systemd/coredump.conf.d/30_security-misc.conf

@@ -0,0 +1,2 @@
+[Coredump]
+Storage=none

usr/lib/systemd/system-preset/50-security-misc.preset

@@ -0,0 +1,19 @@
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618
+disable hide-hardware-info.service
+
+## Disable for now until development finished / tested.
+disable permission-hardener.service
+
+## Disable for now until development finished / tested.
+## https://github.com/Kicksecure/security-misc/pull/152
+disable remount-secure.service
+
+## Disable due to pkexec issues.
+disable proc-hidepid.service
+
+## Disable due to issues. See:
+## https://github.com/Kicksecure/security-misc/issues/159
+disable harden-module-loading.service

usr/lib/systemd/system/harden-module-loading.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Disable the loading of additional modules after systemd-modules-load.service
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+Requires=systemd-modules-load.service
+After=local-fs.target
+After=systemd-modules-load.service
+
+# This functionality is implemented with this and not directly in the sysctl config is
+# to allow systemd-modules-load.service to load the modules with no problem but
+# to disallow anyone else do the same after the system boots up.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/haveged.service.d/30_security-misc.conf

@@ -0,0 +1,7 @@
+## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Service]
+## hardened malloc compatibility
+## Otherwise haveged will exit with a core dump.
+SystemCallFilter=getrandom

usr/lib/systemd/system/hide-hardware-info.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Hide hardware information to unprivileged users
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/hide-hardware-info
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/permission-hardener.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening)
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=permission-hardener enable
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/proc-hidepid.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Mounts /proc with hidepid=2
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/remount-secure.service

@@ -0,0 +1,30 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+
+Before=sysinit-post.target
+Before=basic.target
+Before=multi-user.target
+Before=graphical.target
+Before=getty-pre.target
+Before=network-pre.target
+
+After=local-fs.target
+After=sysinit.target
+After=qubes-sysinit.service
+
+Requires=local-fs.target
+Requires=sysinit.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=remount-secure
+
+[Install]
+WantedBy=sysinit-post.target

usr/lib/systemd/system/remove-system-map.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Removes the System.map files
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/remove-system.map
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/sysinit-post.target

@@ -0,0 +1,9 @@
+[Unit]
+Description=sys-init.target by security-misc
+
+After=sysinit.target
+Before=basic.target
+Requires=sysinit.target
+
+[Install]
+WantedBy=basic.target

usr/lib/systemd/system/user@.service.d/sysfs.conf

@@ -0,0 +1,2 @@
+[Service]
+SupplementaryGroups=sysfs

usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf

@@ -15,7 +15,7 @@
 ## /etc/sysctl.d/30-lkrg-virtualbox.conf
 ## by package security-misc, files:
 ## /usr/share/security-misc/lkrg/lkrg-virtualbox
-## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf
+## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf
 
 ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32
 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2
@@ -24,7 +24,7 @@
 ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf
 ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service
 ## /etc/sysctl.d/30-lkrg-dkms.conf
-## /lib/systemd/system/lkrg.service
+## /usr/lib/systemd/system/lkrg.service
 
 ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
 lkrg.pcfi_validate = 1