usrmerge

fixes https://github.com/Kicksecure/security-misc/issues/190

debian/security-misc.install

@@ -5,6 +5,5 @@
 
 bin/*
 etc/*
-lib/*
 usr/*
 var/*

etc/initramfs-tools/hooks/sysctl-initramfs

@@ -18,4 +18,4 @@ prereqs)
 esac
 
 . /usr/share/initramfs-tools/hook-functions
-copy_exec /sbin/sysctl /sbin
+copy_exec /usr/sbin/sysctl /usr/sbin

etc/modprobe.d/30_security-misc.conf

@@ -14,78 +14,78 @@ options nf_conntrack nf_conntrack_helper=0
 #
 ## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
 #
-# install bluetooth /bin/disabled-bluetooth-by-security-misc
-# install btusb /bin/disabled-bluetooth-by-security-misc
+# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
+# install btusb /usr/bin/disabled-bluetooth-by-security-misc
 
 ## Disable thunderbolt and firewire modules to prevent some DMA attacks
-install thunderbolt /bin/disabled-thunderbolt-by-security-misc
-install firewire-core /bin/disabled-firewire-by-security-misc
-install firewire_core /bin/disabled-firewire-by-security-misc
-install firewire-ohci /bin/disabled-firewire-by-security-misc
-install firewire_ohci /bin/disabled-firewire-by-security-misc
-install firewire_sbp2 /bin/disabled-firewire-by-security-misc
-install firewire-sbp2 /bin/disabled-firewire-by-security-misc
-install ohci1394 /bin/disabled-firewire-by-security-misc
-install sbp2 /bin/disabled-firewire-by-security-misc
-install dv1394 /bin/disabled-firewire-by-security-misc
-install raw1394 /bin/disabled-firewire-by-security-misc
-install video1394 /bin/disabled-firewire-by-security-misc
+install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install firewire-core /usr/bin/disabled-firewire-by-security-misc
+install firewire_core /usr/bin/disabled-firewire-by-security-misc
+install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
+install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
+install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
+install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
+install ohci1394 /usr/bin/disabled-firewire-by-security-misc
+install sbp2 /usr/bin/disabled-firewire-by-security-misc
+install dv1394 /usr/bin/disabled-firewire-by-security-misc
+install raw1394 /usr/bin/disabled-firewire-by-security-misc
+install video1394 /usr/bin/disabled-firewire-by-security-misc
 
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-install msr /bin/disabled-msr-by-security-misc
+install msr /usr/bin/disabled-msr-by-security-misc
 
 ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
 ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
 ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-install dccp /bin/disabled-network-by-security-misc
-install sctp /bin/disabled-network-by-security-misc
-install rds /bin/disabled-network-by-security-misc
-install tipc /bin/disabled-network-by-security-misc
-install n-hdlc /bin/disabled-network-by-security-misc
-install ax25 /bin/disabled-network-by-security-misc
-install netrom /bin/disabled-network-by-security-misc
-install x25 /bin/disabled-network-by-security-misc
-install rose /bin/disabled-network-by-security-misc
-install decnet /bin/disabled-network-by-security-misc
-install econet /bin/disabled-network-by-security-misc
-install af_802154 /bin/disabled-network-by-security-misc
-install ipx /bin/disabled-network-by-security-misc
-install appletalk /bin/disabled-network-by-security-misc
-install psnap /bin/disabled-network-by-security-misc
-install p8023 /bin/disabled-network-by-security-misc
-install p8022 /bin/disabled-network-by-security-misc
-install can /bin/disabled-network-by-security-misc
-install atm /bin/disabled-network-by-security-misc
+install dccp /usr/bin/disabled-network-by-security-misc
+install sctp /usr/bin/disabled-network-by-security-misc
+install rds /usr/bin/disabled-network-by-security-misc
+install tipc /usr/bin/disabled-network-by-security-misc
+install n-hdlc /usr/bin/disabled-network-by-security-misc
+install ax25 /usr/bin/disabled-network-by-security-misc
+install netrom /usr/bin/disabled-network-by-security-misc
+install x25 /usr/bin/disabled-network-by-security-misc
+install rose /usr/bin/disabled-network-by-security-misc
+install decnet /usr/bin/disabled-network-by-security-misc
+install econet /usr/bin/disabled-network-by-security-misc
+install af_802154 /usr/bin/disabled-network-by-security-misc
+install ipx /usr/bin/disabled-network-by-security-misc
+install appletalk /usr/bin/disabled-network-by-security-misc
+install psnap /usr/bin/disabled-network-by-security-misc
+install p8023 /usr/bin/disabled-network-by-security-misc
+install p8022 /usr/bin/disabled-network-by-security-misc
+install can /usr/bin/disabled-network-by-security-misc
+install atm /usr/bin/disabled-network-by-security-misc
 
 ## Disable uncommon file systems to reduce attack surface
 ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
-install cramfs /bin/disabled-filesys-by-security-misc
-install freevxfs /bin/disabled-filesys-by-security-misc
-install jffs2 /bin/disabled-filesys-by-security-misc
-install hfs /bin/disabled-filesys-by-security-misc
-install hfsplus /bin/disabled-filesys-by-security-misc
-install udf /bin/disabled-filesys-by-security-misc
+install cramfs /usr/bin/disabled-filesys-by-security-misc
+install freevxfs /usr/bin/disabled-filesys-by-security-misc
+install jffs2 /usr/bin/disabled-filesys-by-security-misc
+install hfs /usr/bin/disabled-filesys-by-security-misc
+install hfsplus /usr/bin/disabled-filesys-by-security-misc
+install udf /usr/bin/disabled-filesys-by-security-misc
 
 ## Disable uncommon network file systems to reduce attack surface
-install cifs /bin/disabled-netfilesys-by-security-misc
-install nfs /bin/disabled-netfilesys-by-security-misc
-install nfsv3 /bin/disabled-netfilesys-by-security-misc
-install nfsv4 /bin/disabled-netfilesys-by-security-misc
-install ksmbd /bin/disabled-netfilesys-by-security-misc
-install gfs2 /bin/disabled-netfilesys-by-security-misc
+install cifs /usr/bin/disabled-netfilesys-by-security-misc
+install nfs /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
+install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
+install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
 
 ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/disabled-vivid-by-security-misc
+install vivid /usr/bin/disabled-vivid-by-security-misc
 
 ## Disable Intel Management Engine (ME) interface with the OS
 ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
-install mei /bin/disabled-intelme-by-security-misc
-install mei-me /bin/disabled-intelme-by-security-misc
+install mei /usr/bin/disabled-intelme-by-security-misc
+install mei-me /usr/bin/disabled-intelme-by-security-misc
 
 ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
@@ -143,7 +143,7 @@ blacklist udlfb
 ## Disable CD-ROM devices
 ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
-#install cdrom /bin/disabled-cdrom-by-security-misc
-#install sr_mod /bin/disabled-cdrom-by-security-misc
+#install cdrom /usr/bin/disabled-cdrom-by-security-misc
+#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
 blacklist cdrom
 blacklist sr_mod

etc/permission-hardener.d/30_default.conf

@@ -36,14 +36,14 @@
 
 ## In case you need to use 'su'. See also:
 ## https://www.kicksecure.com/wiki/root#su
-#/bin/su exactwhitelist
+#/usr/bin/su exactwhitelist
 #/usr/bin/su exactwhitelist
 
 ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html
 ## https://lwn.net/Articles/590315/
 ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35
 #/usr/lib/xorg/Xorg.wrap whitelist
-#/lib/xorg/Xorg.wrap whitelist
+#/usr/lib/xorg/Xorg.wrap whitelist
 
 ######################################################################
 # SUID whitelist matches in any section of the path: matchwhitelist
@@ -51,7 +51,7 @@
 
 ## Examples below are already configured:
 #ssh-agent matchwhitelist
-#/lib/openssh matchwhitelist
+#/usr/lib/openssh matchwhitelist
 
 ######################################################################
 # Permission Hardening
@@ -62,7 +62,7 @@
 /boot/ 0700 root root
 /etc/permission-hardener.d 0600 root root
 /usr/local/etc/permission-hardener.d 0600 root root
-/lib/modules/ 0700 root root
+/usr/lib/modules/ 0700 root root
 /usr/src 0700 root root
 /etc/cups/cupsd.conf 0400 root root
 /etc/syslog.conf 0600 root root
@@ -93,25 +93,25 @@
 ##
 ## Remove all SUID/SGID binaries/libraries.
 
-/bin/ nosuid
+/usr/bin/ nosuid
 /usr/local/bin/ nosuid
 
 /usr/bin/ nosuid
 /usr/local/usr/bin/ nosuid
 
-/sbin/ nosuid
+/usr/sbin/ nosuid
 /usr/local/sbin/ nosuid
 
 /usr/sbin/ nosuid
 /usr/local/usr/sbin/ nosuid
 
-/lib/ nosuid
+/usr/lib/ nosuid
 /usr/local/lib/ nosuid
 
-/lib32/ nosuid
+/usr/lib32/ nosuid
 /usr/local/lib32/ nosuid
 
-/lib64/ nosuid
+/usr/lib64/ nosuid
 /usr/local/lib64/ nosuid
 
 /usr/lib/ nosuid
@@ -134,7 +134,7 @@
 ## Ping doesn't work with Tor anyway so its capabilities are removed to
 ## reduce attack surface.
 ## anon-apps-config does this.
-#/bin/ping 0744 root root none
+#/usr/bin/ping 0744 root root none
 
 ## TODO: research
 #/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none

usr/bin/permission-hardener

@@ -221,7 +221,7 @@ add_nosuid_statoverride_entry() {
     # shellcheck disable=SC2086
     echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
 
-    ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
+    ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'.
     ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
     ## https://forums.whonix.org/t/disable-suid-binaries/7706/17
   done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {})

usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf

@@ -15,7 +15,7 @@
 ## /etc/sysctl.d/30-lkrg-virtualbox.conf
 ## by package security-misc, files:
 ## /usr/share/security-misc/lkrg/lkrg-virtualbox
-## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf
+## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf
 
 ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32
 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2
@@ -24,7 +24,7 @@
 ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf
 ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service
 ## /etc/sysctl.d/30-lkrg-dkms.conf
-## /lib/systemd/system/lkrg.service
+## /usr/lib/systemd/system/lkrg.service
 
 ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
 lkrg.pcfi_validate = 1