Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-17 18:33:58 -05:00
Code Issues Projects Releases Packages Wiki Activity

permission-hardener: Fix undo warning logic, minor improvements suggested by ChatGPT Codex

Browse source
This commit is contained in:
Aaron Rainbolt 2025-12-04 23:27:18 -06:00
parent 17dd7af7d1
commit 85761a4153
No known key found for this signature in database
GPG key ID: A709160D73C79109
1 changed files with 42 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

51
usr/bin/permission-hardener#security-misc-shared
View file

@ -89,7 +89,13 @@ output_stat() {
return 1 return 1
fi fi
block_newlines file "${file_name}" if ! block_newlines file "${file_name}"; then
existing_mode=''
existing_owner=''
existing_group=''
file_name_from_stat=''
return 0
fi
if [ ! -e "${file_name}" ]; then if [ ! -e "${file_name}" ]; then
log info "File does not exist. file_name: '${file_name}'" >&2 log info "File does not exist. file_name: '${file_name}'" >&2
@ -217,6 +223,12 @@ add_to_policy() {
file_capabilities="${5:-}" file_capabilities="${5:-}"
updated_entry=false updated_entry=false
if [ -z "${file_name}" ]; then
exit_code=207
log error "Attempted to add a policy entry with an empty filename! file_mode='${file_mode}' file_onwer='${file_owner}' file_group='${file_group}' file_capabilities='${file_capabilities}'" >&2
exit "${exit_code}"
fi
if [ -h "${file_name}" ]; then if [ -h "${file_name}" ]; then
file_name="$(realpath "${file_name}")" || return 1 file_name="$(realpath "${file_name}")" || return 1
fi fi
@ -319,6 +331,11 @@ match_dir() {
base_str="${1}" base_str="${1}"
match_str="${2}" match_str="${2}"
if [ -z "${base_str}" ] || [ -z "${match_str}" ]; then
exit_code=207
log error "Empty base_str or match_str provided to match_dir! base_str: '${base_str}' match_str: '${match_str}'" >&2
exit "${exit_code}"
fi
[[ "${base_str}" =~ '//' ]] && return 1 [[ "${base_str}" =~ '//' ]] && return 1
[[ "${match_str}" =~ '//' ]] && return 1 [[ "${match_str}" =~ '//' ]] && return 1
@ -562,8 +579,13 @@ commit_policy() {
## group is the string we want. BASH_REMATCH[0] is the entire string, ## group is the string we want. BASH_REMATCH[0] is the entire string,
## BASH_REMATCH[1] is the first match that we want to discard, and ## BASH_REMATCH[1] is the first match that we want to discard, and
## BASH_REMATCH[2] is the desired second group. ## BASH_REMATCH[2] is the desired second group.
[[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then
state_mode_item="${BASH_REMATCH[2]}" state_mode_item="${BASH_REMATCH[2]}"
else
exit_code=208
log error "'Impossible' regex match failure in commit_policy! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2
exit "${exit_code}"
fi
output_stat "${state_file_item}" output_stat "${state_file_item}"
if [ -z "${file_name_from_stat}" ]; then if [ -z "${file_name_from_stat}" ]; then
@ -693,9 +715,11 @@ undo_policy_for_file() {
state_user_owner_item="${state_user_owner_list[state_idx]}" state_user_owner_item="${state_user_owner_list[state_idx]}"
state_group_owner_item="${state_group_owner_list[state_idx]}" state_group_owner_item="${state_group_owner_list[state_idx]}"
state_mode_item="${state_mode_list[state_idx]}" state_mode_item="${state_mode_list[state_idx]}"
# shellcheck disable=SC2086
chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \
"${undo_file}" || exit_code=202 "${undo_file}" || exit_code=202
## chmod needs to be run after chown since chown removes suid. ## chmod needs to be run after chown since chown removes suid.
# shellcheck disable=SC2086
chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203
else else
log info "File does not exist: '${undo_file}'" log info "File does not exist: '${undo_file}'"
@ -708,8 +732,8 @@ undo_policy_for_file() {
fi fi
done done
if ! [[ "${did_undo}" = 'false' ]]; then if [ "${did_undo}" = 'false' ]; then
log info "The specified file is not hardened, leaving unchanged. log notice "The specified file is not hardened, leaving unchanged.
File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before.
@ -797,7 +821,11 @@ print_raw_state() {
for state_file in "${store_dir}/existing_mode/statoverride" \ for state_file in "${store_dir}/existing_mode/statoverride" \
"${store_dir}/new_mode/statoverride"; do "${store_dir}/new_mode/statoverride"; do
echo "*** begin ${state_file} ***" echo "*** begin ${state_file} ***"
cat "${state_file}" if [ -f "${state_file}" ]; then
cat "${state_file}"
else
echo '(file does not exist)'
fi
echo "*** end ${state_file} ***" echo "*** end ${state_file} ***"
done done
} }
@ -826,12 +854,17 @@ print_fs_audit() {
## group is the string we want. BASH_REMATCH[0] is the entire string, ## group is the string we want. BASH_REMATCH[0] is the entire string,
## BASH_REMATCH[1] is the first match that we want to discard, and ## BASH_REMATCH[1] is the first match that we want to discard, and
## BASH_REMATCH[2] is the desired second group. ## BASH_REMATCH[2] is the desired second group.
[[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then
state_mode_item="${BASH_REMATCH[2]}" state_mode_item="${BASH_REMATCH[2]}"
else
exit_code=208
log error "'Impossible' regex match failure in print_fs_audit! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2
exit "${exit_code}"
fi
output_stat "${state_file_item}" output_stat "${state_file_item}"
if [ -z "${file_name_from_stat}" ]; then if [ -z "${file_name_from_stat}" ]; then
echo "... '${file_name_from_stat}' does not exist" echo "... '${state_file_item}' does not exist"
continue continue
fi fi