mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Merge pull request #34 from madaidan/whitelist
Add a whitelist for /sys and /proc/cpuinfo
This commit is contained in:
commit
8a42c5b023
2
debian/security-misc.postinst
vendored
2
debian/security-misc.postinst
vendored
@ -30,6 +30,8 @@ case "$1" in
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
addgroup root sudo
|
addgroup root sudo
|
||||||
|
addgroup --system sysfs
|
||||||
|
addgroup --system cpuinfo
|
||||||
|
|
||||||
pam-auth-update --package
|
pam-auth-update --package
|
||||||
|
|
||||||
|
8
etc/hide-hardware-info.d/30_whitelist.conf
Normal file
8
etc/hide-hardware-info.d/30_whitelist.conf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||||
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
## Disable the /sys whitelist.
|
||||||
|
#sysfs_whitelist=0
|
||||||
|
|
||||||
|
## Disable the /proc/cpuinfo whitelist.
|
||||||
|
#cpuinfo_whitelist=0
|
2
lib/systemd/system/user@.service.d/sysfs.conf
Normal file
2
lib/systemd/system/user@.service.d/sysfs.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
[Service]
|
||||||
|
SupplementaryGroups=sysfs
|
@ -3,6 +3,42 @@
|
|||||||
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||||
## See the file COPYING for copying conditions.
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
sysfs_whitelist=1
|
||||||
|
cpuinfo_whitelist=1
|
||||||
|
|
||||||
|
## Allows for disabling the whitelist.
|
||||||
|
for i in /etc/hide-hardware-info.d/*.conf
|
||||||
|
do
|
||||||
|
source "${i}"
|
||||||
|
done
|
||||||
|
|
||||||
|
create_whitelist() {
|
||||||
|
if [ "${1}" = "sysfs" ]; then
|
||||||
|
whitelist_path="/sys"
|
||||||
|
elif [ "${1}" = "cpuinfo" ]; then
|
||||||
|
whitelist_path="/proc/cpuinfo"
|
||||||
|
else
|
||||||
|
echo "ERROR: ${1} is not a correct parameter."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if grep -q "${1}" /etc/group; then
|
||||||
|
chmod o-rwx "${whitelist_path}"
|
||||||
|
chgrp -fR "${1}" "${whitelist_path}"
|
||||||
|
|
||||||
|
## Changing the permissions of /sys recursively
|
||||||
|
## causes errors as the permissions of /sys/kernel/debug
|
||||||
|
## and /sys/fs/cgroup cannot be changed which makes
|
||||||
|
## systemd say the service has failed even though
|
||||||
|
## everything has completed successfully. So, this
|
||||||
|
## returns "0" instead which makes systemd say the
|
||||||
|
## service has succeeded.
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
## sysfs and debugfs expose a lot of information
|
## sysfs and debugfs expose a lot of information
|
||||||
## that should not be accessible by an unprivileged
|
## that should not be accessible by an unprivileged
|
||||||
## user which includes hardware info, debug info and
|
## user which includes hardware info, debug info and
|
||||||
@ -13,7 +49,25 @@
|
|||||||
for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
|
for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
|
||||||
do
|
do
|
||||||
if [ -e "${i}" ]; then
|
if [ -e "${i}" ]; then
|
||||||
|
if [ "${i}" = "/sys" ]; then
|
||||||
|
## Whitelist for /sys.
|
||||||
|
if [ "${sysfs_whitelist}" = "1" ]; then
|
||||||
|
create_whitelist sysfs
|
||||||
|
else
|
||||||
|
chmod og-rwx /sys
|
||||||
|
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
|
||||||
|
fi
|
||||||
|
elif [ "${i}" = "/proc/cpuinfo" ]; then
|
||||||
|
## Whitelist for /proc/cpuinfo.
|
||||||
|
if [ "${cpuinfo_whitelist}" = "1" ]; then
|
||||||
|
create_whitelist cpuinfo
|
||||||
|
else
|
||||||
|
chmod og-rwx /proc/cpuinfo
|
||||||
|
echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly."
|
||||||
|
fi
|
||||||
|
else
|
||||||
chmod og-rwx "${i}"
|
chmod og-rwx "${i}"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
## /proc/scsi doesn't exist on Debian so errors
|
## /proc/scsi doesn't exist on Debian so errors
|
||||||
## are expected here.
|
## are expected here.
|
||||||
|
Loading…
Reference in New Issue
Block a user