Merge pull request #31 from madaidan/hide-hardware-info

Restrict /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to root
2024-10-01 08:25:45 -04:00 · 2019-10-05 08:46:21 +00:00 · 2019-10-05 08:46:21 +00:00 · 7bcf73deaa
commit 7bcf73deaa
parent ddc778b452 7345287560
4 changed files with 52 additions and 0 deletions
--- a/debian/control
+++ b/debian/control
@ -84,6 +84,13 @@ Description: enhances misc security settings
  * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
 a history of security concerns.
 https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+ .
+  * A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
+ /sys to the root user only. This hides a lot of hardware identifiers from
+ unprivileged users and increases security as /sys exposes a lot of information
+ that shouldn't be accessible to unprivileged users. As this will break many
+ things, it is disabled by default and can optionally be enabled by running
+ `systemctl enable hide-hardware-info.service` as root.
 .
 Uncommon network protocols are blacklisted:
 These are rarely used and may have unknown vulnerabilities.
--- a/lib/systemd/system-preset/50-security-misc.preset
+++ b/lib/systemd/system-preset/50-security-misc.preset
@ -0,0 +1,4 @@
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+disable hide-hardware-info.service
--- a/lib/systemd/system/hide-hardware-info.service
+++ b/lib/systemd/system/hide-hardware-info.service
@ -0,0 +1,17 @@
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=Hide hardware information to unprivileged users
+Documentation=https://github.com/Whonix/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/security-misc/hide-hardware-info
+
+[Install]
+WantedBy=sysinit.target
--- a/usr/lib/security-misc/hide-hardware-info
+++ b/usr/lib/security-misc/hide-hardware-info
@ -0,0 +1,24 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## sysfs and debugfs expose a lot of information
+## that should not be accessible by an unprivileged
+## user which includes hardware info, debug info and
+## more. This restricts /sys, /proc/cpuinfo, /proc/bus
+## and /proc/scsi to the root user only. This hides
+## many hardware identifiers from ordinary users
+## and increases security.
+for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
+do
+  if [ -e "${i}" ]; then
+    chmod og-rwx "${i}"
+  else
+    ## /proc/scsi doesn't exist on Debian so errors
+    ## are expected here.
+    if ! [ "${i}" = "/proc/scsi" ]; then
+      echo "ERROR: ${i} could not be found."
+    fi
+  fi
+done