From 318ab570aacd48b7f163331dc2ba8b012e0d2336 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Dec 2020 04:28:15 -0500 Subject: [PATCH] simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries --- etc/permission-hardening.d/30_default.conf | 50 +------------------ .../40_default_whitelist_bubblewrap.conf | 9 ++++ .../40_default_whitelist_chromium.conf | 8 +++ .../40_default_whitelist_dbus.conf | 8 +++ .../40_default_whitelist_firejail.conf | 11 ++++ .../40_default_whitelist_fuse.conf | 10 ++++ .../40_default_whitelist_mount.conf | 17 +++++++ .../40_default_whitelist_policykit.conf | 17 +++++++ .../40_default_whitelist_qubes.conf | 13 +++++ .../40_default_whitelist_selinux.conf | 8 +++ .../40_default_whitelist_spice.conf | 8 +++ .../40_default_whitelist_sudo.conf | 9 ++++ .../40_default_whitelist_virtualbox.conf | 9 ++++ 13 files changed, 128 insertions(+), 49 deletions(-) create mode 100644 etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_chromium.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_dbus.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_firejail.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_fuse.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_mount.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_policykit.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_qubes.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_selinux.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_spice.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_sudo.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_virtualbox.conf diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 7684cc9..4e86fc1 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -34,29 +34,6 @@ # SUID exact match whitelist ###################################################################### -/usr/bin/sudo exactwhitelist -/bin/sudo exactwhitelist -/usr/bin/bwrap exactwhitelist -/bin/bwrap exactwhitelist -/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist -/usr/lib/chromium/chrome-sandbox exactwhitelist - -/usr/bin/pkexec exactwhitelist -/bin/pkexec exactwhitelist -/usr/bin/pkexec.security-misc-orig exactwhitelist -/bin/pkexec.security-misc-orig exactwhitelist - -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -## Protect from 'chmod -x' (and SUID removal). -## SUID will be removed below in separate step. -/bin/mount exactwhitelist -/usr/bin/mount exactwhitelist - -## There is a controversy about firejail but those who choose to install it -## should be able to use it. -## https://www.whonix.org/wiki/Dev/Firejail#Security -/usr/bin/firejail exactwhitelist - ## In case you need to use 'su'. See also: ## https://www.whonix.org/wiki/root#su #/bin/su exactwhitelist @@ -72,42 +49,17 @@ #/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### -# SUID regex match whitelist - research required +# SUID regex match whitelist ###################################################################### -/usr/lib/virtualbox/ matchwhitelist - -## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c -## match both: -#/usr/lib/qubes/qfile-unpacker whitelist -#/lib/qubes/qfile-unpacker -/qubes/qfile-unpacker matchwhitelist - -## match both: -#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist -#/lib/policykit-1/polkit-agent-helper-1 -polkit-agent-helper-1 matchwhitelist - ###################################################################### # SUID regex match whitelist ###################################################################### -dbus-daemon-launch-helper matchwhitelist -/utempter/utempter matchwhitelist - -## required for AppImages such as electrum Bitcoin wallet -## https://forums.whonix.org/t/disable-suid-binaries/7706/57 -/fusermount matchwhitelist - ###################################################################### # Permission Hardening ###################################################################### -## Remove SUID from 'mount' but keep executable. -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 745 root root -/usr/bin/mount 745 root root - /home/ 0755 root root /home/user/ 0700 user user /root/ 0700 root root diff --git a/etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf new file mode 100644 index 0000000..af2a214 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/bwrap exactwhitelist +/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_chromium.conf b/etc/permission-hardening.d/40_default_whitelist_chromium.conf new file mode 100644 index 0000000..3ba68e2 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_chromium.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/chromium/chrome-sandbox exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_dbus.conf b/etc/permission-hardening.d/40_default_whitelist_dbus.conf new file mode 100644 index 0000000..85290e7 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_dbus.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_firejail.conf b/etc/permission-hardening.d/40_default_whitelist_firejail.conf new file mode 100644 index 0000000..2fcb272 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_firejail.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## There is a controversy about firejail but those who choose to install it +## should be able to use it. +## https://www.whonix.org/wiki/Dev/Firejail#Security +/usr/bin/firejail exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_fuse.conf b/etc/permission-hardening.d/40_default_whitelist_fuse.conf new file mode 100644 index 0000000..b0cffa9 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_fuse.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for AppImages such as electrum Bitcoin wallet +## https://forums.whonix.org/t/disable-suid-binaries/7706/57 +/fusermount matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_mount.conf b/etc/permission-hardening.d/40_default_whitelist_mount.conf new file mode 100644 index 0000000..5ab606a --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_mount.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +## Protect from 'chmod -x' (and SUID removal). +## SUID will be removed below in separate step. +/bin/mount exactwhitelist +/usr/bin/mount exactwhitelist + +## Remove SUID from 'mount' but keep executable. +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +/bin/mount 745 root root +/usr/bin/mount 745 root root diff --git a/etc/permission-hardening.d/40_default_whitelist_policykit.conf b/etc/permission-hardening.d/40_default_whitelist_policykit.conf new file mode 100644 index 0000000..a188c98 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_policykit.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/pkexec exactwhitelist +/bin/pkexec exactwhitelist +/usr/bin/pkexec.security-misc-orig exactwhitelist +/bin/pkexec.security-misc-orig exactwhitelist + +## TODO: research +## match both: +#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist +#/lib/policykit-1/polkit-agent-helper-1 +polkit-agent-helper-1 matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_qubes.conf b/etc/permission-hardening.d/40_default_whitelist_qubes.conf new file mode 100644 index 0000000..bb2dddc --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_qubes.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +## match both: +#/usr/lib/qubes/qfile-unpacker whitelist +#/lib/qubes/qfile-unpacker +/qubes/qfile-unpacker matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_selinux.conf b/etc/permission-hardening.d/40_default_whitelist_selinux.conf new file mode 100644 index 0000000..0e844c1 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_selinux.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_spice.conf b/etc/permission-hardening.d/40_default_whitelist_spice.conf new file mode 100644 index 0000000..27a0922 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_spice.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_sudo.conf b/etc/permission-hardening.d/40_default_whitelist_sudo.conf new file mode 100644 index 0000000..30b5a07 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_sudo.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/sudo exactwhitelist +/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/40_default_whitelist_virtualbox.conf new file mode 100644 index 0000000..2c9adba --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_virtualbox.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +/usr/lib/virtualbox/ matchwhitelist