From 1708a03e1edda821ef091f10c46d32f740511d38 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Thu, 28 Nov 2024 15:20:57 -0600
Subject: [PATCH 1/3] Enable umask hardening

---
 README.md                                 | 14 +++++++++-----
 etc/sudoers.d/security-misc               |  5 +++++
 usr/share/pam-configs/umask-security-misc |  8 ++++++++
 3 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 usr/share/pam-configs/umask-security-misc

diff --git a/README.md b/README.md
index c23d261..6117830 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ Kernel space:
 
 - Force the kernel to panic on both "oopses", which can potentially indicate and thwart
   certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
-  
+
 - Optional - Force immediate reboot on the occurrence of a single kernel panic and also
   (when using Linux kernel >= 6.2) limit the number of allowed panics to one.
 
@@ -573,9 +573,7 @@ See:
 #### umask
 
 Default `umask` is set to `027` for files created by non-root users such as
-user `user`. Broken. Disabled. See:
-
-* https://github.com/Kicksecure/security-misc/issues/184
+user `user`.
 
 This is done using the PAM module `pam_mkhomedir.so umask=027`.
 
@@ -589,7 +587,13 @@ https://wiki.debian.org/UserPrivateGroups
 
 Default `umask` is unchanged for root because then configuration files created
 in `/etc` by the system administrator would be unreadable by "others" and break
-applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`.
+applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The
+`umask` is also set to 022 via `sudoers` configuration, so that files created
+as root are world-readable even when using commands such as `sudo vi
+/etc/file` or `sudo -i; touch /etc/file`.
+
+`umask` is set to 022 rather than 027 when using `sudo`, so that commands such
+as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file`
 
 See:
 
diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc
index 7084b1f..591eede 100644
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@@ -3,3 +3,8 @@
 
 user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+
+## Use a more open umask when executing commands with sudo
+## Can be overridden on a per-user basis using .[z]profile if desirable
+Defaults umask_override
+Defaults umask=0022
diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc
new file mode 100644
index 0000000..6436a56
--- /dev/null
+++ b/usr/share/pam-configs/umask-security-misc
@@ -0,0 +1,8 @@
+Name: Restrict umask to 027 (by package security-misc)
+Default: yes
+Priority: 100
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	[success=1 default=ignore]	pam_succeed_if.so uid eq 0
+	optional	pam_umask.so umask=027

From 93b51819d4693955936456916188b4118fe68a66 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Fri, 6 Dec 2024 09:47:08 -0500
Subject: [PATCH 2/3] permission hardener mount chmod change from `745` to
 `755`

https://github.com/Kicksecure/security-misc/issues/284
---
 etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf
index 54b22a6..08965b8 100644
--- a/etc/permission-hardener.d/25_default_whitelist_mount.conf
+++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf
@@ -13,5 +13,5 @@
 
 ## Remove SUID from 'mount' but keep executable.
 ## https://forums.whonix.org/t/disable-suid-binaries/7706/61
-/bin/mount 745 root root
-/usr/bin/mount 745 root root
+/bin/mount 755 root root
+/usr/bin/mount 755 root root

From 5b88e92e5c4b951e659e1574fc248bd11158dfb2 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Fri, 6 Dec 2024 09:48:58 -0500
Subject: [PATCH 3/3] permission hardner: treat `mount` the same way we treat
 `umount`

Thanks to @the-moog for the bug report!

fixes https://github.com/Kicksecure/security-misc/issues/284
---
 etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf
index 08965b8..c0a4f96 100644
--- a/etc/permission-hardener.d/25_default_whitelist_mount.conf
+++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf
@@ -10,8 +10,12 @@
 ## SUID will be removed below in separate step.
 /bin/mount exactwhitelist
 /usr/bin/mount exactwhitelist
+/bin/umount exactwhitelist
+/usr/bin/umount exactwhitelist
 
 ## Remove SUID from 'mount' but keep executable.
 ## https://forums.whonix.org/t/disable-suid-binaries/7706/61
 /bin/mount 755 root root
 /usr/bin/mount 755 root root
+/bin/umount 755 root root
+/usr/bin/umount 755 root root