Merge pull request #31 from madaidan/hide-hardware-info

Restrict /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to root
This commit is contained in:
Patrick Schleizer 2019-10-05 08:46:21 +00:00 committed by GitHub
commit 7bcf73deaa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 52 additions and 0 deletions

7
debian/control vendored
View File

@ -84,6 +84,13 @@ Description: enhances misc security settings
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
a history of security concerns. a history of security concerns.
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
.
* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
/sys to the root user only. This hides a lot of hardware identifiers from
unprivileged users and increases security as /sys exposes a lot of information
that shouldn't be accessible to unprivileged users. As this will break many
things, it is disabled by default and can optionally be enabled by running
`systemctl enable hide-hardware-info.service` as root.
. .
Uncommon network protocols are blacklisted: Uncommon network protocols are blacklisted:
These are rarely used and may have unknown vulnerabilities. These are rarely used and may have unknown vulnerabilities.

View File

@ -0,0 +1,4 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
disable hide-hardware-info.service

View File

@ -0,0 +1,17 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
[Unit]
Description=Hide hardware information to unprivileged users
Documentation=https://github.com/Whonix/security-misc
DefaultDependencies=no
Before=sysinit.target
Requires=local-fs.target
After=local-fs.target
[Service]
Type=oneshot
ExecStart=/usr/lib/security-misc/hide-hardware-info
[Install]
WantedBy=sysinit.target

View File

@ -0,0 +1,24 @@
#!/bin/bash
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## sysfs and debugfs expose a lot of information
## that should not be accessible by an unprivileged
## user which includes hardware info, debug info and
## more. This restricts /sys, /proc/cpuinfo, /proc/bus
## and /proc/scsi to the root user only. This hides
## many hardware identifiers from ordinary users
## and increases security.
for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
do
if [ -e "${i}" ]; then
chmod og-rwx "${i}"
else
## /proc/scsi doesn't exist on Debian so errors
## are expected here.
if ! [ "${i}" = "/proc/scsi" ]; then
echo "ERROR: ${i} could not be found."
fi
fi
done