From 72be31e870057b035651c1b5a7e9a9db149e9d25 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun, 12 Apr 2020 16:48:13 -0400
Subject: [PATCH] disable proc-hidepid by default because incompatible with
 pkexec

and undo pkexec wrapper
---
 debian/control                                    | 5 +++--
 debian/security-misc.displace                     | 1 -
 debian/security-misc.undisplace                   | 1 +
 lib/systemd/system-preset/50-security-misc.preset | 3 +++
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/debian/control b/debian/control
index bd82bae..0d6871a 100644
--- a/debian/control
+++ b/debian/control
@@ -175,8 +175,9 @@ Description: enhances misc security settings
  `/lib/systemd/system/remount-secure.service`
  `/usr/lib/security-misc/remount-secure`
  .
-  * A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users
- from seeing each other's processes.
+  * An optional systemd service mounts `/proc` with `hidepid=2` at boot to
+ prevent users from seeing each other's processes. Not enabled because not
+ compatible with pkexec.
  .
   * The kernel logs are restricted to root only.
  .
diff --git a/debian/security-misc.displace b/debian/security-misc.displace
index afc5957..52bb261 100644
--- a/debian/security-misc.displace
+++ b/debian/security-misc.displace
@@ -1,5 +1,4 @@
 ## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
-/usr/bin/pkexec.security-misc
 /etc/securetty.security-misc
diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace
index 55fd1f1..3c56ba4 100644
--- a/debian/security-misc.undisplace
+++ b/debian/security-misc.undisplace
@@ -2,3 +2,4 @@
 ## See the file COPYING for copying conditions.
 
 /etc/login.defs.security-misc
+/usr/bin/pkexec.security-misc
diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset
index a9047d6..f534279 100644
--- a/lib/systemd/system-preset/50-security-misc.preset
+++ b/lib/systemd/system-preset/50-security-misc.preset
@@ -9,3 +9,6 @@ disable permission-hardening.service
 
 ## Disable for now until development finished / tested.
 disable remount-secure.service
+
+## Disable due to pkexec issues.
+proc-hidepid.service