Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'

debian/security-misc-shared.install

@@ -56,6 +56,8 @@ usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared =>
 usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info
 usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget
 usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x
+usr/libexec/security-misc/block-unsafe-logins#security-misc-shared => /usr/libexec/security-misc/block-unsafe-logins
+usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared => /usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown
 usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c
 usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc
 usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc
@@ -89,6 +91,7 @@ usr/lib/systemd/system/remount-secure.service#security-misc-shared => /usr/lib/s
 usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown.service
 usr/lib/systemd/system/sysinit-post.target#security-misc-shared => /usr/lib/systemd/system/sysinit-post.target
 usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown-trigger.service
+usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared => /usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service
 usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf
 usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/pstore.conf.d/30_security-misc.conf
 usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared => /usr/lib/udev/rules.d/95-emerg-shutdown.rules
@@ -129,6 +132,7 @@ usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared => /usr/s
 usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared => /usr/share/pam-configs/console-lockdown-security-misc
 usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared => /usr/share/pam-configs/mkhomedir-security-misc
 usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared => /usr/share/pam-configs/pam-abort-on-locked-password-security-misc
+usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared => /usr/share/pam-configs/block-unsafe-logins-security-misc
 usr/share/lintian/overrides/security-misc-shared#security-misc-shared => /usr/share/lintian/overrides/security-misc-shared
 usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared => /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
 usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared => /usr/share/security-misc/lkrg/lkrg-virtualbox

usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared

@@ -0,0 +1,15 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=kill VBoxDRMClient during shutdown to allow /tmp to be unmounted properly
+ConditionVirtualization=oracle
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=true
+ExecStop=/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown
+
+[Install]
+WantedBy=multi-user.target

usr/libexec/security-misc/block-unsafe-logins#security-misc-shared

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+set -o errexit
+set -o nounset
+set -o errtrace
+set -o pipefail
+
+if [ -z "${PAM_USER:-}" ]; then
+  true "$0: ERROR: Environment variable PAM_USER is unset!"
+  exit 0
+fi
+
+kernel_cmdline=''
+if [ -r /proc/cmdline ]; then
+  kernel_cmdline="$(cat /proc/cmdline)"
+elif [ -r /proc/1/cmdline ]; then
+  kernel_cmdline="$(cat /proc/1/cmdline)"
+fi
+
+if [[ "$kernel_cmdline" =~ 'boot-role=sysmaint' ]]; then
+  if [ "$PAM_USER" != 'sysmaint' ]; then
+    printf '%s\n' 'ERROR: Rejecting non-sysmaint account in sysmaint mode!'
+    exit 1
+  fi
+  true 'INFO: Running in sysmaint mode and logging into sysmaint account, allowing authentication to proceed.'
+  exit 0
+else
+  if ! output="$(/usr/libexec/helper-scripts/get-user-list)"; then
+    printf '%s\n' 'ERROR: Failed to get user list!'
+    exit 1
+  fi
+  readarray -t user_list <<< "$output"
+  if [ "${#user_list[@]}" = '0' ] || [ -z "${user_list[0]}" ]; then
+    printf '%s\n' 'ERROR: No user accounts found!'
+    exit 1
+  fi
+
+  ## Minor race condition here, quick deletion of users during this process
+  ## could result in user_list and passwd_status_list becoming misaligned. This
+  ## attack would require root privileges to execute though, so this is likely
+  ## not a concern. We do this before checking if $PAM_USER is in the list of
+  ## interactive users to keep the race window as short as possible.
+  if ! output="$(/usr/libexec/helper-scripts/get-password-status-list)"; then
+    printf '%s\n' 'ERROR: Failed to get password status list!'
+    eixt 1
+  fi
+  readarray -t passwd_status_list <<< "$output"
+  if [ "${#passwd_status_list[@]}" = '0' ] \
+    || [ -z "${passwd_status_list[0]}" ] \
+    || (( ${#passwd_status_list[@]} != ${#user_list[@]} )); then
+    printf '%s\n' 'ERROR: Unexpected number of password status entries!'
+    exit 1
+  fi
+
+  if [ "$PAM_USER" = 'sysmaint' ]; then
+    printf '%s\n' 'ERROR: Rejecting sysmaint account in user mode!'
+    exit 1
+  fi
+
+  interactive_user_idx='-1'
+  for user_idx in "${!user_list[@]}"; do
+    if [ "${user_list[user_idx]}" = "$PAM_USER" ]; then
+      interactive_user_idx="$user_idx"
+      break
+    fi
+  done
+  if [ "$interactive_user_idx" = '-1' ]; then
+    ## This isn't a user account we care about (it's not an interactive
+    ## account), therefore allow authentication to proceed.
+    true "INFO: Account '$PAM_USER' is not an interactive account, allowing authentication to proceed."
+    exit 0
+  fi
+
+  IFS=' ' read -r -a user_gid_list < <(id -G "$PAM_USER")
+  sensitive_group_list=( 'sudo' 'root' 'sysmaint' )
+  is_user_sensitive='false'
+
+  for sensitive_group in "${sensitive_group_list[@]}"; do
+    sensitive_gid="$(accountctl "$sensitive_group" get-entry group gid)"
+    for user_gid in "${user_gid_list[@]}"; do
+      if [ "$sensitive_gid" = "$user_gid" ]; then
+        is_user_sensitive='true'
+        break
+      fi
+    done
+    if [ "$is_user_sensitive" = 'true' ]; then
+      break
+    fi
+  done
+
+  if [ "$is_user_sensitive" = 'true' ]; then
+    if [ "${passwd_status_list[interactive_user_idx]}" = 'Absent' ]; then
+      ## User account is sensitive and passwordless, deny authentication
+      printf '%s\n' "ERROR: Rejecting passwordless sensitive account '$PAM_USER'!"
+      exit 1
+    else
+      true "INFO: Account '$PAM_USER' is sensitive but protected, allowing authentication to proceed."
+      exit 0
+    fi
+  fi
+
+  true "INFO: Account '$PAM_USER' is not sensitive, allowing authentication to proceed."
+  exit 0
+fi

usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See file COPYING for copying conditions.
+
+set -o errexit
+set -o nounset
+set -o errtrace
+set -o pipefail
+
+vboxdrmclient_sock='/tmp/.iprt-localipc-DRMIpcServer'
+
+if ! [ -S "$vboxdrmclient_sock" ]; then
+  printf '%s\n' "'$vboxdrmclient_sock' does not exist or is not a socket, ok."
+  exit 0
+fi
+
+sock_pid="$(/usr/libexec/helper-scripts/query-sock-pid "$vboxdrmclient_sock")" || true
+if [ -z "$sock_pid" ]; then
+  printf '%s\n' "Cannot get PID listening on '$vboxdrmclient_sock', ok."
+  exit 0
+fi
+if kill -SIGKILL "$sock_pid"; then
+  printf '%s\n' "Killed VBoxDRMClient ('$sock_pid'), ok."
+  exit 0
+fi
+
+printf '%s\n' "ERROR: Could not kill VBoxDRMClient ('$sock_pid')!"
+exit 1

usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared

@@ -0,0 +1,6 @@
+Name: block unsafe passwordless login (by package security-misc-shared)
+Default: yes
+Priority: 1100
+Auth-Type: Primary
+Auth:
+	requisite	pam_exec.so	seteuid stdout /usr/libexec/security-misc/block-unsafe-logins