From 6d30e3b4a2c0e5cf53d88b4a033511aa49b8f227 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Fri, 20 Dec 2019 08:13:23 -0500
Subject: [PATCH] do not remove suid from whitelisted binaries ever

https://forums.whonix.org/t/permission-hardening/8655/13
---
 etc/permission-hardening.d/30_default.conf | 17 +++++++++--------
 usr/lib/security-misc/permission-hardening | 19 +++++++++++++++++++
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index 594ecfa..16830fd 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -13,6 +13,15 @@
 ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
 ## argument.
 
+## SUID whitelist.
+/usr/bin/sudo whitelist
+/usr/bin/bwrap whitelist
+/usr/lib/policykit-1/polkit-agent-helper-1 whitelist
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper whitelist
+/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist
+/usr/lib/x86_64-linux-gnu/utempter/utempter whitelist
+
+## Permission hardening.
 /home/ 0755 root root
 /home/user/ 0700 user user
 /root/ 0700 root root
@@ -41,11 +50,3 @@
 /usr/local/lib/ nosuid
 /usr/local/lib32/ nosuid
 /usr/local/lib64/ nosuid
-
-## SUID whitelist.
-/usr/bin/sudo 4755 root root
-/usr/bin/bwrap 4755 root root
-/usr/lib/policykit-1/polkit-agent-helper-1 4755 root root
-/usr/lib/dbus-1.0/dbus-daemon-launch-helper 4754 root messagebus
-/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper 4755 root root
-/usr/lib/x86_64-linux-gnu/utempter/utempter 2755 root utmp
diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening
index 07b1be4..3d15451 100755
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@@ -69,6 +69,20 @@ add_nosuid_statoverride_entry() {
 
       echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
 
+      is_whitelisted=""
+      for white_list_entry in $whitelist ; do
+        if [ "$file_name" = "$white_list_entry" ]; then
+          is_whitelisted="true"
+          ## Stop looping through the whitelist.
+          break
+        fi
+      done
+
+      if [ "$is_whitelisted" = "true" ]; then
+          echo "INFO: skip whitelisted: '$file_name'"
+          continue
+      fi
+
       if dpkg-statoverride --list | grep -q "$file_name"; then
         if ! dpkg-statoverride --list | grep -q "$owner $group $new_mode $file_name"; then
           echo_wrapper dpkg-statoverride --remove "$file_name"
@@ -115,6 +129,11 @@ set_file_perms() {
 
     fso_without_trailing_slash="${fso%/}"
 
+    if [ "$mode_from_config" = "whitelist" ]; then
+      whitelist+="$fso_without_trailing_slash "
+      continue
+    fi
+
     ## Use dpkg-statoverride  so permissions are not reset during upgrades.
 
     nosuid=""