usrmerge

fixes https://github.com/Kicksecure/security-misc/issues/190

usr/lib/systemd/coredump.conf.d/30_security-misc.conf

@@ -0,0 +1,2 @@
+[Coredump]
+Storage=none

usr/lib/systemd/system-preset/50-security-misc.preset

@@ -0,0 +1,19 @@
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618
+disable hide-hardware-info.service
+
+## Disable for now until development finished / tested.
+disable permission-hardener.service
+
+## Disable for now until development finished / tested.
+## https://github.com/Kicksecure/security-misc/pull/152
+disable remount-secure.service
+
+## Disable due to pkexec issues.
+disable proc-hidepid.service
+
+## Disable due to issues. See:
+## https://github.com/Kicksecure/security-misc/issues/159
+disable harden-module-loading.service

usr/lib/systemd/system/harden-module-loading.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Disable the loading of additional modules after systemd-modules-load.service
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+Requires=systemd-modules-load.service
+After=local-fs.target
+After=systemd-modules-load.service
+
+# This functionality is implemented with this and not directly in the sysctl config is
+# to allow systemd-modules-load.service to load the modules with no problem but
+# to disallow anyone else do the same after the system boots up.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/haveged.service.d/30_security-misc.conf

@@ -0,0 +1,7 @@
+## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Service]
+## hardened malloc compatibility
+## Otherwise haveged will exit with a core dump.
+SystemCallFilter=getrandom

usr/lib/systemd/system/hide-hardware-info.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Hide hardware information to unprivileged users
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/hide-hardware-info
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/permission-hardener.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening)
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=permission-hardener enable
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/proc-hidepid.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Mounts /proc with hidepid=2
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/remount-secure.service

@@ -0,0 +1,30 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+
+Before=sysinit-post.target
+Before=basic.target
+Before=multi-user.target
+Before=graphical.target
+Before=getty-pre.target
+Before=network-pre.target
+
+After=local-fs.target
+After=sysinit.target
+After=qubes-sysinit.service
+
+Requires=local-fs.target
+Requires=sysinit.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=remount-secure
+
+[Install]
+WantedBy=sysinit-post.target

usr/lib/systemd/system/remove-system-map.service

@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Removes the System.map files
+Documentation=https://github.com/Kicksecure/security-misc
+
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/remove-system.map
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

usr/lib/systemd/system/sysinit-post.target

@@ -0,0 +1,9 @@
+[Unit]
+Description=sys-init.target by security-misc
+
+After=sysinit.target
+Before=basic.target
+Requires=sysinit.target
+
+[Install]
+WantedBy=basic.target

usr/lib/systemd/system/user@.service.d/sysfs.conf

@@ -0,0 +1,2 @@
+[Service]
+SupplementaryGroups=sysfs