Merge branch 'master' into sysrq

debian/control

@@ -122,6 +122,8 @@ Description: enhances misc security settings
  .
   * Restricts the SysRq key so it can only be used for shutdowns and the
   Secure Attention Key.
+ .
+  * Restricts loading line disciplines to CAP_SYS_MODULE.
  .
  Improve Entropy Collection
  .

etc/default/grub.d/40_enable_iommu.cfg

@@ -3,3 +3,10 @@
 
 ## Enables IOMMU to prevent DMA attacks.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
+
+## Disable the busmaster bit on all PCI bridges during very
+## early boot to avoid holes in IOMMU.
+##
+## https://mjg59.dreamwidth.org/54433.html
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"

etc/sysctl.d/30_security-misc.conf

@@ -119,8 +119,14 @@ net.ipv4.tcp_timestamps=0
 
 #### meta end
 
+
 ## Only allow the SysRq key to be used for shutdowns and the
 ## Secure Attention Key (SAK).
 ##
 ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
 kernel.sysrq=132
+
+## Restrict loading line disciplines to CAP_SYS_MODULE to prevent
+## unprivileged attackers from loading vulnerable line disciplines
+## with the TIOCSETD ioctl to exploit them.
+dev.tty.ldisc_autoload=0

usr/lib/security-misc/remove-system.map

@@ -26,7 +26,9 @@ fi
 ## Removes the System.map files as they are only used for debugging or malware.
 for filename in ${system_map_location} ; do
    if [ -f "${filename}" ]; then
-      rm --verbose --force "${filename}"
+      ## 'shred' with '--verbose' is too chatty. (7 lines)
+      shred --force --zero -u "${filename}"
+      echo "removed '${filename}'"
    fi
 done