Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'

debian/security-misc.displace

@@ -3,3 +3,4 @@
 
 /etc/securetty.security-misc
 /etc/security/faillock.conf.security-misc
+/etc/usbguard/usbguard-daemon.conf.security-misc

debian/security-misc.postinst

@@ -95,6 +95,9 @@ case "$1" in
         if test -f /etc/usbguard/rules.d/30_security-misc.conf; then
           chmod 0600 /etc/usbguard/rules.d/30_security-misc.conf || true
         fi
+        if test -f /etc/usbguard/usbguard-daemon.conf.security-misc; then
+          chmod 0600 /etc/usbguard/usbguard-daemon.conf.security-misc || true
+        fi
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

etc/modprobe.d/30_security-misc_disable.conf

@@ -308,3 +308,15 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
 ## https://github.com/Kicksecure/security-misc/issues/298
 ##
 #install vivid /usr/bin/disabled-miscellaneous-by-security-misc
+
+## RNDIS:
+## Disable the RNDIS drivers used by some network devices (common with Android
+## USB tethering). RNDIS as a protocol is believed to have supposedly
+## unfixable buffer overflow issues and may be impossible to implement in a
+## secure fashion.
+##
+## https://lkml.org/lkml/2022/11/23/728
+## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/
+##
+install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc
+install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc

etc/usbguard/rules.d/30_security-misc.conf

@@ -19,6 +19,15 @@ allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equa
 ## and keyboards. Also note, all HID devices other than mice and keyboards
 ## will be blocked, **including touchscreens.**
 
+## Allow USB audio devices. The intended functionality of these devices is
+## unlikely to be usable in a malicious capacity without having already
+## compromised the machine.
+allow with-interface equals { 01:*:* }
+
+## Allow USB video devices (i.e. webcams). Also tricky to use in a malicious
+## manner without having already compromised the machine.
+allow with-interface equals { 0e:*:* }
+
 ## Explicitly reject any device with a mouse/keyboard interface in
 ## combination with some other interface.
 ## Mice and keyboards should likely never have non-HID interfaces provided
@@ -48,6 +57,10 @@ reject with-interface all-of { 03:*:* ef:*:* }
 reject with-interface all-of { 03:*:* fe:*:* }
 reject with-interface all-of { 03:*:* ff:*:* }
 
+## Explicitly reject any device with an RNDIS interface. RNDIS is believed to
+## have protocol-level buffer overflow vulnerabilities that cannot be fixed.
+reject with-interface one-of { ef:04:* }
+
 ## Allow USB mass storage, if and only if the USB device only has the mass
 ## storage interface and nothing extra.
 ## Suspicious interface combinations with mass storage are blocked.

etc/usbguard/usbguard-daemon.conf.security-misc

@@ -0,0 +1,218 @@
+#
+# Rule set file path.
+#
+# The USBGuard daemon will use this file to load the policy
+# rule set from it and to write new rules received via the
+# IPC interface.
+#
+# RuleFile=/path/to/rules.conf
+#
+RuleFile=/etc/usbguard/rules.conf
+
+#
+# Rule set folder path.
+#
+# The USBGuard daemon will use this folder to load the policy
+# rule set from it and to write new rules received via the
+# IPC interface. Usually, we set the option to
+# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
+# behave like any other standard Linux daemon therefore it
+# loads rule files in alpha-numeric order. File names inside
+# RuleFolder directory should start with a two-digit number
+# prefix indicating the position, in which the rules are
+# scanned by the daemon.
+#
+# RuleFolder=/path/to/rulesfolder/
+#
+RuleFolder=/etc/usbguard/rules.d/
+
+
+
+#
+# Implicit policy target.
+#
+# How to treat devices that don't match any rule in the
+# policy. One of:
+#
+# * allow  - authorize the device
+# * block  - block the device
+# * reject - remove the device
+#
+ImplicitPolicyTarget=block
+
+#
+# Present device policy.
+#
+# How to treat devices that are already connected when the
+# daemon starts. One of:
+#
+# * allow        - authorize every present device
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * keep         - just sync the internal state and leave it
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+# Overridden by Kicksecure to allow all devices that are connected at startup.
+#
+PresentDevicePolicy=allow
+
+#
+# Present controller policy.
+#
+# How to treat USB controllers that are already connected
+# when the daemon starts. One of:
+#
+# * allow        - authorize every present device
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * keep         - just sync the internal state and leave it
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+PresentControllerPolicy=keep
+
+#
+# Inserted device policy.
+#
+# How to treat USB devices that are already connected
+# *after* the daemon starts. One of:
+#
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+InsertedDevicePolicy=apply-policy
+
+#
+# Control which devices are authorized by default.
+#
+# The USBGuard daemon modifies some the default authorization state attributes
+# of controller devices. This setting, enables you to define what value the
+# default authorization is set to.
+#
+# * keep         - do not change the authorization state
+# * none         - every new device starts out deauthorized
+# * all          - every new device starts out authorized
+# * internal     - internal devices start out authorized, external devices start
+#                  out deauthorized (this requires the ACPI tables to properly
+#                  label internal devices, and kernel support)
+#
+AuthorizedDefault=none
+
+#
+# Restore controller device state.
+#
+# The USBGuard daemon modifies some attributes of controller
+# devices like the default authorization state of new child device
+# instances. Using this setting, you can control whether the
+# daemon will try to restore the attribute values to the state
+# before modification on shutdown.
+#
+# SECURITY CONSIDERATIONS: If set to true, the USB authorization
+# policy could be bypassed by performing some sort of attack on the
+# daemon (via a local exploit or via a USB device) to make it shutdown
+# and restore to the operating-system default state (known to be permissive).
+#
+RestoreControllerDeviceState=false
+
+#
+# Device manager backend
+#
+# Which device manager backend implementation to use. One of:
+#
+# * uevent   - Netlink based implementation which uses sysfs to scan for present
+#              devices and an uevent netlink socket for receiving USB device
+#              related events.
+# * umockdev - umockdev based device manager capable of simulating devices based
+#              on umockdev-record files. Useful for testing.
+#
+DeviceManagerBackend=uevent
+
+#!!! WARNING: It's good practice to set at least one of the !!!
+#!!!          two options below. If none of them are set,   !!!
+#!!!          the daemon will accept IPC connections from   !!!
+#!!!          anyone, thus allowing anyone to modify the    !!!
+#!!!          rule set and (de)authorize USB devices.       !!!
+
+#
+# Users allowed to use the IPC interface.
+#
+# A space delimited list of usernames that the daemon will
+# accept IPC connections from.
+#
+# IPCAllowedUsers=username1 username2 ...
+#
+IPCAllowedUsers=root
+
+#
+# Groups allowed to use the IPC interface.
+#
+# A space delimited list of groupnames that the daemon will
+# accept IPC connections from.
+#
+# IPCAllowedGroups=groupname1 groupname2 ...
+#
+IPCAllowedGroups=root plugdev
+
+#
+# IPC access control definition files path.
+#
+# The files at this location will be interpreted by the USBGuard
+# daemon as access control definition files for the IPC interface.
+# The (base)name of a file should be in the form:
+#
+#   [user][:<group>]
+#
+# where user is either username or UID and group is either groupname or GID.
+# IPC access control files should contain lines in the form:
+#
+#   <section>=[privilege1][,privilege2] ...
+#
+# This way each file defines who is able to connect to the IPC
+# bus and what privileges he has. Note that the IPC access control
+# files need to have file permissions set to 0600.
+#
+IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
+
+#
+# Generate device specific rules including the "via-port"
+# attribute.
+#
+# This option modifies the behavior of the allowDevice
+# action. When instructed to generate a permanent rule,
+# the action can generate a port specific rule. Because
+# some systems have unstable port numbering, the generated
+# rule might not match the device after rebooting the system.
+#
+# If set to false, the generated rule will still contain
+# the "parent-hash" attribute which also defines an association
+# to the parent device. See usbguard-rules.conf(5) for more
+# details.
+#
+DeviceRulesWithPort=false
+
+#
+# USBGuard Audit events log backend
+#
+# One of:
+#
+# * FileAudit - Log audit events into a file specified by
+#               AuditFilePath setting (see below)
+# * LinuxAudit - Log audit events using the Linux Audit
+#                subsystem (using audit_log_user_message)
+#
+AuditBackend=FileAudit
+
+#
+# USBGuard audit events log file path.
+#
+AuditFilePath=/var/log/usbguard/usbguard-audit.log
+
+#
+# Hides personally identifiable information such as device serial numbers and
+# hashes of descriptors (which include the serial number) from audit entries.
+#
+HidePII=false
+