security-misc split string changes

README.md

@@ -449,9 +449,9 @@ See:
 ### Bluetooth Status: Enabled but Defaulted to Off
 
 - **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel,
-  security-misc deviates from the usual behavior by starting with Bluetooth
-  turned off at system start. This setting remains until the user explicitly opts
-  to activate Bluetooth.
+  security-misc-desktop deviates from the usual behavior by starting with
+  Bluetooth turned off at system start. This setting remains until the user
+  explicitly opts to activate Bluetooth.
 
 - **User Control**: Users have the freedom to easily switch Bluetooth on and off
   in the usual way, exercising their own discretion. This can be done via the
@@ -745,7 +745,7 @@ Before sending pull requests to harden arbitrary applications, please note the
 scope of security-misc is limited to default installed applications in
 Kicksecure and Whonix. This includes:
 
-- Thunderbird, VLC Media Player, KeePassXC
+- VLC Media Player, KeePassXC
 - Debian Specific System Components (APT, DPKG)
 - System Services (NetworkManager IPv6 privacy options, MAC address
   randomization)

debian/security-misc-shared.preinst

@@ -52,10 +52,10 @@ user_groups_modifications() {
 }
 
 output_skip_checks() {
-   echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2
-   echo "security-misc '$0' INFO: (technical reason: $@)" >&2
-   echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2
-   echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2
+   echo "security-misc-shared '$0' INFO: Allow installation of security-misc-shared anyway." >&2
+   echo "security-misc-shared '$0' INFO: (technical reason: $@)" >&2
+   echo "security-misc-shared '$0' INFO: If this is a chroot this is probably OK." >&2
+   echo "security-misc-shared '$0' INFO: Otherwise you might not be able to login." >&2
 }
 
 sudo_users_check () {

etc/security/limits.d/30_security-misc.conf#security-misc-shared

@@ -1,7 +1,7 @@
 ## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Disable coredumps.
+## Disable core dumps.
 ## `-` in the second field sets both hard and soft limits at the same time.
 ## See `man 5 limits.conf`.
 * - core 0

usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-cdrom-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-filesys-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This file system kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-firewire-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-gps-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-intelme-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This network file system kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-network-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared

@@ -5,6 +5,6 @@
 
 ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
 
-echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
 
 exit 1

usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf#security-misc-shared

@@ -3,6 +3,7 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 /usr/bin/bwrap exactwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID
 ## sandbox for most use cases, and while the SUID sandbox is still technically

usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## Needed for D-Bus system activation to work.
 ## https://dbus.freedesktop.org/doc/system-activation.txt

usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## There is a controversy about firejail but those who choose to install it
 ## should be able to use it.

usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## Critical component of FUSE (Filesystem in USErspace)
 ##

usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 libhardened_malloc.so matchwhitelist
 libhardened_malloc-light.so matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## https://forums.whonix.org/t/disable-suid-binaries/7706/61
 ## Protect from 'chmod -x' (and SUID removal).

usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## Used by the pam_tmpdir module to create a secure temporary directory for the
 ## user that is logging in.

usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 # Keep the `passwd` utility executable to prevent issues with the
 # /usr/libexec/security-misc/pam-abort-on-locked-password script blocking

usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## user-sysmaint-split hardens this further.
 /usr/bin/pkexec exactwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## TODO: research and document
 postqueue matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## TODO: research
 ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c

usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## TODO: research and document
 /utempter/utempter matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## TODO: research and document
 spice-client-glib-usb-acl-helper matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## Used for SSH client key management
 ## https://manpages.debian.org/ssh-agent

usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## user-sysmaint-split hardens this further.
 /usr/bin/sudo exactwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## required for performing password validation from unprivileged user
 ## processes such as KScreenLocker's unlock prompt

usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## TODO: research
 /usr/lib/virtualbox/ matchwhitelist

usr/lib/permission-hardener.d/30_default.conf#security-misc-shared

@@ -3,7 +3,8 @@
 
 ## Please use "/etc/permission-hardener.d/20_user.conf" or
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
+## configuration. When security-misc-shared is updated, this file may be
+## overwritten.
 
 ## File permission hardening.
 ##

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -351,7 +351,7 @@ vm.max_map_count=1048576
 
 ## Disable core dump files by preventing any pattern names.
 ## This setting may be overwritten by systemd and is not comprehensive.
-## Core dumps are also disabled in security-misc via other means.
+## Core dumps are also disabled in security-misc-shared via other means.
 ##
 ## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps
 ##

usr/lib/systemd/system/permission-hardener.service#security-misc-shared

@@ -2,7 +2,7 @@
 ## See the file COPYING for copying conditions.
 
 [Unit]
-Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening)
+Description=Permission Hardener at Boot Time (opt-in in addition to security-misc-shared package installation time hardening)
 Documentation=https://github.com/Kicksecure/security-misc
 
 DefaultDependencies=no

usr/lib/systemd/system/sysinit-post.target#security-misc-shared

@@ -2,7 +2,7 @@
 ## See the file COPYING for copying conditions.
 
 [Unit]
-Description=sys-init.target by security-misc
+Description=sys-init.target by security-misc-shared
 
 After=sysinit.target
 Before=basic.target

usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared

@@ -8,4 +8,4 @@ set -e
 
 sysctl -w kernel.modules_disabled=1
 
-true "The loading of new modules to the kernel has been disabled by security-misc."
+true "The loading of new modules to the kernel has been disabled by package security-misc-shared."

usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared

@@ -1,4 +1,4 @@
-Name: allow only members of group console to use login (by package security-misc)
+Name: allow only members of group console to use login (by package security-misc-shared)
 Default: no
 Priority: 280
 Account-Type: Primary

usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared

@@ -1,4 +1,4 @@
-Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc)
+Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc-shared)
 Default: yes
 Priority: 1024
 Auth-Type: Primary

usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared

@@ -1,4 +1,4 @@
-Name: Create home directory on login (by package security-misc)
+Name: Create home directory on login (by package security-misc-shared)
 Default: yes
 Priority: 100
 Session-Type: Additional

usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared

@@ -1,4 +1,4 @@
-Name: abort on locked password (by package security-misc)
+Name: abort on locked password (by package security-misc-shared)
 Default: yes
 Priority: 300
 Auth-Type: Primary

usr/share/pam-configs/umask-security-misc#security-misc-shared

@@ -1,4 +1,4 @@
-Name: Restrict umask to 027 for non-root users (by package security-misc)
+Name: Restrict umask to 027 for non-root users (by package security-misc-shared)
 Default: yes
 Priority: 100
 Session-Type: Additional

usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared

@@ -1,4 +1,4 @@
-Name: Unix authentication with faillock (by package security-misc)
+Name: Unix authentication with faillock (by package security-misc-shared)
 Default: yes
 Priority: 384
 Auth-Type: Primary

usr/share/pam-configs/wheel-security-misc#security-misc-shared

@@ -1,4 +1,4 @@
-Name: group sudo membership required to use su (by package security-misc)
+Name: group sudo membership required to use su (by package security-misc-shared)
 Default: yes
 Priority: 1050
 Auth-Type: Primary

usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared

@@ -13,7 +13,7 @@
 ## /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
 ## to:
 ## /etc/sysctl.d/30-lkrg-virtualbox.conf
-## by package security-misc, files:
+## by package security-misc-shared, files:
 ## /usr/share/security-misc/lkrg/lkrg-virtualbox
 ## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf
 

usr/src/security-misc/emerg-shutdown.c#security-misc-shared

@@ -318,7 +318,7 @@ void print_usage() {
   print(fd_stderr, "    not use.\n");
   print(fd_stderr, "Example:\n");
   print(fd_stderr, "  emerg-shutdown --devices=/dev/sda3 --keys=KEY_POWER\n");
-  print(fd_stderr, "See /etc/security-misc/emerg-shutdown/30_security-misc.cofn to\n");
+  print(fd_stderr, "See /etc/security-misc/emerg-shutdown/30_security-misc.conf to\n");
   print(fd_stderr, "configure the emerg-shutdown service.\n");
 }