Merge remote-tracking branch 'github-kicksecure/master'

COPYING

@@ -1,7 +1,7 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 
 Files: *
-Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 License: GPL-3+-with-additional-terms-1
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by

bin/disabled-bluetooth-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-cdrom-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-filesys-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-firewire-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-intelme-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-msr-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-netfilesys-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-network-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-thunderbolt-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

bin/disabled-vivid-by-security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Alerts the user that a kernel module failed to load due to it being blacklisted by default.

debian/control

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 Source: security-misc

debian/copyright

@@ -1,7 +1,7 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 
 Files: *
-Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 License: GPL-3+-with-additional-terms-1
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by

debian/make-helper-overrides.bsh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24

debian/rules

@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 #export DH_VERBOSE=1

debian/security-misc.displace

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 /etc/securetty.security-misc

debian/security-misc.install

@@ -1,4 +1,4 @@
-## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## This file was generated using 'genmkfile debinstfile'.

debian/security-misc.maintscript

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 rm_conffile /etc/sudoers.d/umask-security-misc

debian/security-misc.postinst

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
@@ -32,6 +32,7 @@ case "$1" in
     triggered)
       echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
       /usr/share/security-misc/lkrg/lkrg-virtualbox || true
+      /usr/libexec/security-misc/mmap-rnd-bits || true
       exit 0
     ;;
 
@@ -57,6 +58,8 @@ you should fix running 'update-grub', otherwise your system might no longer \
 boot." >&2
 fi
 
+/usr/libexec/security-misc/mmap-rnd-bits
+
 true "INFO: debhelper beginning here."
 
 #DEBHELPER#

debian/security-misc.postrm

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
@@ -18,6 +18,8 @@ true "
 ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
 pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
 
+rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf
+
 true "INFO: debhelper beginning here."
 
 #DEBHELPER#

debian/security-misc.preinst

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then

debian/security-misc.prerm

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then

debian/security-misc.triggers

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 #### meta start
@@ -15,4 +15,7 @@ activate-noawait update-initramfs
 ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox
 interest-noawait /usr/bin/vboxmanage
 
+## vm.mmap_rnd_bits
+interest-noawait /boot
+
 #### meta end

debian/security-misc.undisplace

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 /etc/login.defs.security-misc

debian/watch

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 version=4

etc/X11/Xsession.d/50panic_on_oops

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -x /usr/libexec/security-misc/panic-on-oops ]; then

etc/X11/Xsession.d/50security-misc

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -z "$XDG_CONFIG_DIRS" ]; then

etc/apparmor.d/tunables/home.d/security-misc

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc,

etc/apt/apt.conf.d/40error-on-any

@@ -1,4 +1,4 @@
-## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Make "sudo apt-get update" exit non-zero for transient failures.

etc/apt/apt.conf.d/40sandbox

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Enables all known mitigations for CPU vulnerabilities.

etc/default/grub.d/40_distrust_bootloader.cfg

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Distrusts the bootloader for initial entropy at boot.

etc/default/grub.d/40_distrust_cpu.cfg

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Distrusts the CPU for initial entropy at boot as it is not possible to

etc/default/grub.d/40_enable_iommu.cfg

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Enables IOMMU to prevent DMA attacks.

etc/default/grub.d/40_kernel_hardening.cfg

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 kpkg="linux-image-$(dpkg --print-architecture)" || true

etc/default/grub.d/41_quiet.cfg

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Prevent kernel info leaks in console during boot.

etc/hide-hardware-info.d/30_default.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Disable the /sys whitelist.

etc/initramfs-tools/hooks/sysctl-initramfs

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 set -e

etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 PREREQ=""

etc/kernel/postinst.d/30_remove-system-map

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if test -x /usr/libexec/security-misc/remove-system.map ; then

etc/modprobe.d/30_security-misc.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## See the following links for a community discussion and overview regarding the selections

etc/permission-hardening.d/25_default_passwd.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_sudo.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_chromium.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_dbus.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_firejail.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_fuse.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_mount.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_policykit.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_qubes.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_selinux.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_spice.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_sudo.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/25_default_whitelist_virtualbox.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/permission-hardening.d/30_default.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Please use "/etc/permission-hardening.d/20_user.conf" or

etc/security/access-security-misc.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## To enable root login, see:

etc/security/limits.d/30_security-misc.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Disable coredumps.

etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<!-- ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> -->
+<!-- ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> -->
 <!-- ## See the file COPYING for copying conditions. -->
 
 <!-- Configuration for Thunar. -->

etc/sudoers.d/pkexec-security-misc

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## REVIEW: is it ok that users can find out the PATH setting of root?

etc/sudoers.d/security-misc

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops

etc/sudoers.d/xfce-security-misc

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764

etc/sysctl.d/30_security-misc.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
@@ -36,10 +36,6 @@ net.core.bpf_jit_harden=2
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 kernel.kptr_restrict=2
 
-## Improves ASLR effectiveness for mmap.
-vm.mmap_rnd_bits=32
-vm.mmap_rnd_compat_bits=16
-
 ## Restricts the use of ptrace to root. This might break some programs running under WINE.
 ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
 ##
@@ -101,7 +97,7 @@ net.ipv4.conf.all.rp_filter=1
 #### meta end
 
 
-## Disables SACK as it is commonly exploited and likely not needed.
+## Previously disabled SACK, DSACK, and FACK.
 ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
 #net.ipv4.tcp_sack=0
 #net.ipv4.tcp_dsack=0

etc/sysctl.d/30_security-misc_kexec-disable.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html

etc/sysctl.d/30_silent-kernel-printk.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Prevent kernel info leaks in console during boot.

etc/thunderbird/pref/40_security-mic.js

@@ -1,4 +1,4 @@
-//#### Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+//#### Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 //#### See the file COPYING for copying conditions.
 
 //#### meta start

lib/systemd/system-preset/50-security-misc.preset

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618

lib/systemd/system/haveged.service.d/30_security-misc.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 [Service]

lib/systemd/system/hide-hardware-info.service

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 [Unit]

lib/systemd/system/permission-hardening.service

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 [Unit]

lib/systemd/system/proc-hidepid.service

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 [Unit]

lib/systemd/system/remount-secure.service

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 [Unit]

lib/systemd/system/remove-system-map.service

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 [Unit]

usr/bin/pkexec.security-misc

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with

usr/lib/modules-load.d/30_security-misc.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://www.whonix.org/wiki/Dev/Entropy

usr/libexec/security-misc/apt-get-update

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 sigterm_trap() {

usr/libexec/security-misc/apt-get-update-sanity-test

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 set -x

usr/libexec/security-misc/askpass

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 set -e

usr/libexec/security-misc/echo-path

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 set -e

usr/libexec/security-misc/hide-hardware-info

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 set -e

usr/libexec/security-misc/mmap-rnd-bits

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s failglob
+
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This script enforces the maximum ASLR hardening settings for mmap, given the
+## installed Linux config.
+
+## Defaults in case Linux config detection fails. These are likely to work fine
+## on x86_64, probably not elsewhere.
+BITS_MAX_DEFAULT=32
+COMPAT_BITS_MAX_DEFAULT=16
+
+## Find the most recently modified Linux config file.
+if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1)
+then
+    ## Find the relevant config options.
+    if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
+    then
+        echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX"
+        BITS_MAX="${BITS_MAX_DEFAULT}"
+    fi
+    if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2)
+    then
+        echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX"
+        COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
+    fi
+else
+    echo "Error detecting Linux config"
+    BITS_MAX="${BITS_MAX_DEFAULT}"
+    COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}"
+fi
+
+## Generate a sysctl.d conf file.
+SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file is automatically generated, do not edit!
+
+## Improves ASLR effectiveness for mmap.
+vm.mmap_rnd_bits=${BITS_MAX}
+vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}"
+
+## Write the sysctl.d conf file.
+if ! echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null
+then
+    echo "Error writing ASLR map config"
+fi
+
+exit 0

usr/libexec/security-misc/pam-abort-on-locked-password

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## This is only a usability feature to avoid needlessly bumping pam_faillock

usr/libexec/security-misc/pam-info

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## To enable debug log, run:

usr/libexec/security-misc/pam_faillock_not_if_x

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files

usr/libexec/security-misc/pam_only_if_login

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files

usr/libexec/security-misc/panic-on-oops

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 set -e

usr/libexec/security-misc/permission-hardening

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/disable-suid-binaries/7706

usr/libexec/security-misc/permission-hardening-undo

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 #set -x

usr/libexec/security-misc/permission-lockdown

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Doing this for all users would create many issues.

usr/libexec/security-misc/remount-secure

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## noexec in /tmp and/or /home can break some malware but also legitimate

usr/libexec/security-misc/remove-system.map

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then

usr/libexec/security-misc/virusforget

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## VirusForget is inspired by Christopher Laprise.

usr/share/lintian/overrides/security-misc

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## The whole point of the package.

usr/share/security-misc/dolphinrc

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions
 
 [PreviewSettings]

usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## LKRG VirtualBox host configuration

usr/share/security-misc/lkrg/lkrg-virtualbox

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 set -x