From 6b78dbcd07a9d2361c5ab41f5151e24a80309e13 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 15 Oct 2019 20:57:02 +0000 Subject: [PATCH] Add way to whitelist things --- usr/lib/security-misc/hide-hardware-info | 45 +++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 4a1eec0..0875ddb 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -3,6 +3,33 @@ ## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +sysfs_whitelist=1 +cpuinfo_whitelist=1 + +## Allows for disabling the whitelist. +for i in /etc/hide-hardware-info.d/*.conf +do + source "${i}" +done + +create_whitelist() { + if [ "${1}" = "sysfs" ]; then + whitelist_path="/sys" + elif [ "${1}" = "cpuinfo" ]; then + whitelist_path="/proc/cpuinfo" + else + echo "ERROR: ${1} is not a correct parameter." + exit 1 + fi + + if grep -q "${1}" /etc/group; then + chmod o-rwx "${whitelist_path}" + chgrp -fR "${1}" "${whitelist_path}" + else + echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." + fi +} + ## sysfs and debugfs expose a lot of information ## that should not be accessible by an unprivileged ## user which includes hardware info, debug info and @@ -13,7 +40,23 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys do if [ -e "${i}" ]; then - chmod og-rwx "${i}" + if [ "${i}" = "/sys" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + fi + elif [ "${i}" = "/proc/cpuinfo" ]; then + ## Whitelist for /proc/cpuinfo. + if [ "${cpuinfo_whitelist}" = "1" ]; then + create_whitelist cpuinfo + else + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." + fi + else + chmod og-rwx "${i}" + fi else ## /proc/scsi doesn't exist on Debian so errors ## are expected here.