From 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 26 Oct 2023 12:20:48 -0400
Subject: [PATCH] enable SUID Disabler and Permission Hardener by default

https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener

https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706
---
 debian/security-misc.postinst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index d00d8cf..04410d9 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -15,6 +15,20 @@ true "
 #####################################################################
 "
 
+permission_hardening() {
+    echo ""
+    echo "Running SUID Disabler and Permission Hardener... See also:"
+    echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
+    echo ""
+    echo "$0: INFO: run: /usr/libexec/security-misc/permission-hardening"
+    if ! /usr/libexec/security-misc/permission-hardening ; then
+        echo "$0: ERROR: Permission hardening failed." >&2
+        return 0
+    fi
+    echo "$0: INFO: Permission hardening success."
+    echo ""
+}
+
 case "$1" in
     configure)
         if [ -d /etc/skel/.gnupg ]; then
@@ -45,6 +59,7 @@ esac
 pam-auth-update --package
 
 /usr/libexec/security-misc/permission-lockdown
+permission_hardening
 
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet: