From 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 Mon Sep 17 00:00:00 2001
From: Daniel Winzen <daniel@danwin1210.de>
Date: Wed, 21 Feb 2024 20:37:34 +0100
Subject: [PATCH] Allow access to /sys/fs for polkit

---
 usr/libexec/security-misc/hide-hardware-info | 29 ++++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index b55441f..4ed2aca 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -80,6 +80,23 @@ do
   fi
 done
 
+## restrict permissions on everything but
+## what is needed
+for i in /sys/* /sys/fs/*
+do
+  ## Using '|| true':
+  ## https://github.com/Kicksecure/security-misc/pull/108
+  if [ "${sysfs_whitelist}" = "1" ]; then
+    chmod o-rwx "${i}" || true
+  else
+    chmod og-rwx "${i}" || true
+  fi
+done
+
+## polkit needs stat access to /sys/fs/cgroup
+## to function properly
+chmod o+rx /sys /sys/fs
+
 ## on SELinux systems, at least /sys/fs/selinux
 ## must be visible to unprivileged users, else
 ## SELinux userspace utilities will not function
@@ -88,18 +105,6 @@ if [ -d /sys/fs/selinux ]; then
   echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
   echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
   if [ "${selinux}" = "1" ]; then
-    ## restrict permissions on everything but
-    ## what is needed
-    for i in /sys/* /sys/fs/*
-    do
-      ## Using '|| true':
-      ## https://github.com/Kicksecure/security-misc/pull/108
-      if [ "${sysfs_whitelist}" = "1" ]; then
-        chmod o-rwx "${i}" || true
-      else
-        chmod og-rwx "${i}" || true
-      fi
-    done
     chmod o+rx /sys /sys/fs /sys/fs/selinux
     echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
   else