Merge pull request #34 from madaidan/whitelist

Add a whitelist for /sys and /proc/cpuinfo
This commit is contained in:
Patrick Schleizer 2019-10-17 09:59:12 +00:00 committed by GitHub
commit 8a42c5b023
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 67 additions and 1 deletions

View File

@ -30,6 +30,8 @@ case "$1" in
esac esac
addgroup root sudo addgroup root sudo
addgroup --system sysfs
addgroup --system cpuinfo
pam-auth-update --package pam-auth-update --package

View File

@ -0,0 +1,8 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Disable the /sys whitelist.
#sysfs_whitelist=0
## Disable the /proc/cpuinfo whitelist.
#cpuinfo_whitelist=0

View File

@ -0,0 +1,2 @@
[Service]
SupplementaryGroups=sysfs

View File

@ -3,6 +3,42 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net> ## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
sysfs_whitelist=1
cpuinfo_whitelist=1
## Allows for disabling the whitelist.
for i in /etc/hide-hardware-info.d/*.conf
do
source "${i}"
done
create_whitelist() {
if [ "${1}" = "sysfs" ]; then
whitelist_path="/sys"
elif [ "${1}" = "cpuinfo" ]; then
whitelist_path="/proc/cpuinfo"
else
echo "ERROR: ${1} is not a correct parameter."
exit 1
fi
if grep -q "${1}" /etc/group; then
chmod o-rwx "${whitelist_path}"
chgrp -fR "${1}" "${whitelist_path}"
## Changing the permissions of /sys recursively
## causes errors as the permissions of /sys/kernel/debug
## and /sys/fs/cgroup cannot be changed which makes
## systemd say the service has failed even though
## everything has completed successfully. So, this
## returns "0" instead which makes systemd say the
## service has succeeded.
return 0
else
echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created."
fi
}
## sysfs and debugfs expose a lot of information ## sysfs and debugfs expose a lot of information
## that should not be accessible by an unprivileged ## that should not be accessible by an unprivileged
## user which includes hardware info, debug info and ## user which includes hardware info, debug info and
@ -13,7 +49,25 @@
for i in /proc/cpuinfo /proc/bus /proc/scsi /sys for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
do do
if [ -e "${i}" ]; then if [ -e "${i}" ]; then
if [ "${i}" = "/sys" ]; then
## Whitelist for /sys.
if [ "${sysfs_whitelist}" = "1" ]; then
create_whitelist sysfs
else
chmod og-rwx /sys
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
fi
elif [ "${i}" = "/proc/cpuinfo" ]; then
## Whitelist for /proc/cpuinfo.
if [ "${cpuinfo_whitelist}" = "1" ]; then
create_whitelist cpuinfo
else
chmod og-rwx /proc/cpuinfo
echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly."
fi
else
chmod og-rwx "${i}" chmod og-rwx "${i}"
fi
else else
## /proc/scsi doesn't exist on Debian so errors ## /proc/scsi doesn't exist on Debian so errors
## are expected here. ## are expected here.