Merge remote-tracking branch 'github-kicksecure/master'

This commit is contained in:
Patrick Schleizer 2023-05-05 14:37:34 +00:00
commit 15d0ee1008
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
97 changed files with 158 additions and 101 deletions

View File

@ -1,7 +1,7 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: *
Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
License: GPL-3+-with-additional-terms-1
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

2
debian/control vendored
View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
Source: security-misc

2
debian/copyright vendored
View File

@ -1,7 +1,7 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: *
Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
License: GPL-3+-with-additional-terms-1
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24

2
debian/rules vendored
View File

@ -1,6 +1,6 @@
#!/usr/bin/make -f
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
#export DH_VERBOSE=1

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
/etc/securetty.security-misc

View File

@ -1,4 +1,4 @@
## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This file was generated using 'genmkfile debinstfile'.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
rm_conffile /etc/sudoers.d/umask-security-misc

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
@ -32,6 +32,7 @@ case "$1" in
triggered)
echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
/usr/share/security-misc/lkrg/lkrg-virtualbox || true
/usr/libexec/security-misc/mmap-rnd-bits || true
exit 0
;;
@ -57,6 +58,8 @@ you should fix running 'update-grub', otherwise your system might no longer \
boot." >&2
fi
/usr/libexec/security-misc/mmap-rnd-bits
true "INFO: debhelper beginning here."
#DEBHELPER#

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
@ -18,6 +18,8 @@ true "
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf
true "INFO: debhelper beginning here."
#DEBHELPER#

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
#### meta start
@ -15,4 +15,7 @@ activate-noawait update-initramfs
## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox
interest-noawait /usr/bin/vboxmanage
## vm.mmap_rnd_bits
interest-noawait /boot
#### meta end

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
/etc/login.defs.security-misc

2
debian/watch vendored
View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
version=4

View File

@ -1,6 +1,6 @@
#!/bin/sh
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -x /usr/libexec/security-misc/panic-on-oops ]; then

View File

@ -1,6 +1,6 @@
#!/bin/sh
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -z "$XDG_CONFIG_DIRS" ]; then

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc,

View File

@ -1,4 +1,4 @@
## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Make "sudo apt-get update" exit non-zero for transient failures.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Enables all known mitigations for CPU vulnerabilities.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Distrusts the bootloader for initial entropy at boot.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Distrusts the CPU for initial entropy at boot as it is not possible to

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Enables IOMMU to prevent DMA attacks.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
kpkg="linux-image-$(dpkg --print-architecture)" || true

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Prevent kernel info leaks in console during boot.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Disable the /sys whitelist.

View File

@ -1,6 +1,6 @@
#!/bin/sh
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -e

View File

@ -1,6 +1,6 @@
#!/bin/sh
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
PREREQ=""

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if test -x /usr/libexec/security-misc/remove-system.map ; then

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## See the following links for a community discussion and overview regarding the selections

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## To enable root login, see:

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Disable coredumps.

View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> -->
<!-- ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> -->
<!-- ## See the file COPYING for copying conditions. -->
<!-- Configuration for Thunar. -->

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## REVIEW: is it ok that users can find out the PATH setting of root?

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
@ -36,10 +36,6 @@ net.core.bpf_jit_harden=2
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2
## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
##
@ -101,7 +97,7 @@ net.ipv4.conf.all.rp_filter=1
#### meta end
## Disables SACK as it is commonly exploited and likely not needed.
## Previously disabled SACK, DSACK, and FACK.
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
#net.ipv4.tcp_sack=0
#net.ipv4.tcp_dsack=0

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Prevent kernel info leaks in console during boot.

View File

@ -1,4 +1,4 @@
//#### Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
//#### Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
//#### See the file COPYING for copying conditions.
//#### meta start

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618

View File

@ -1,4 +1,4 @@
## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[Service]

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[Unit]

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[Unit]

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[Unit]

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[Unit]

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[Unit]

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://www.whonix.org/wiki/Dev/Entropy

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
sigterm_trap() {

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -x

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -e

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -e

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -e

View File

@ -0,0 +1,53 @@
#!/usr/bin/env bash
set -euo pipefail
shopt -s failglob
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This script enforces the maximum ASLR hardening settings for mmap, given the
## installed Linux config.
## Defaults in case Linux config detection fails. These are likely to work fine
## on x86_64, probably not elsewhere.
BITS_MAX_DEFAULT=32
COMPAT_BITS_MAX_DEFAULT=16
## Find the most recently modified Linux config file.
if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
then
## Find the relevant config options.
if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
then
echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
BITS_MAX="${BITS_MAX_DEFAULT}"
fi
if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
then
echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
fi
else
echo "Error detecting Linux config"
BITS_MAX="${BITS_MAX_DEFAULT}"
COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
fi
## Generate a sysctl.d conf file.
SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This file is automatically generated, do not edit!
## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=${BITS_MAX}
vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"
## Write the sysctl.d conf file.
if ! echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null
then
echo "Error writing ASLR map config"
fi
exit 0

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This is only a usability feature to avoid needlessly bumping pam_faillock

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## To enable debug log, run:

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -e

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/disable-suid-binaries/7706

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
#set -x

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Doing this for all users would create many issues.

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## noexec in /tmp and/or /home can break some malware but also legitimate

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## VirusForget is inspired by Christopher Laprise.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## The whole point of the package.

View File

@ -1,4 +1,4 @@
## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions
[PreviewSettings]

View File

@ -1,4 +1,4 @@
## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## LKRG VirtualBox host configuration

View File

@ -1,6 +1,6 @@
#!/bin/bash
## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
set -x