move from /etc/permission-hardener.d to /usr/lib/permission-hardener.d

usr/lib/permission-hardener.d/25_default_passwd.conf

@@ -0,0 +1,14 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+# Keep the `passwd` utility executable to prevent issues with the
+# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking
+# user logins with `su` and KScreenLocker
+#
+# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd
+/usr/bin/passwd 0755 root root
+/bin/passwd 0755 root root

usr/lib/permission-hardener.d/25_default_sudo.conf

@@ -0,0 +1,20 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## https://forums.whonix.org/t/restrict-root-access/7658/116
+## This restricts the file permissions of the sudo executable so that a vulnerability
+## in the program will not be exploitable by any users not in the "sudo" group. sudo
+## is a very complex program and is setuid so vulnerabilities in it can allow privilege
+## escalation, regardless of other root access restrictions. For example, the following
+## buffer overflow vulnerability could have been exploited by any user on the system:
+## https://www.openwall.com/lists/oss-security/2021/01/26/3
+## With this restriction, only users explicitly permitted to use sudo by being added to
+## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
+## compromised network-facing daemon (such as web servers, time synchronization daemons,
+## etc.) running as its own user from exploiting sudo to escalate privileges.
+#/usr/bin/sudo 4750 root sudo
+#/bin/sudo 4750 root sudo

usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf

@@ -0,0 +1,9 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+/usr/bin/bwrap exactwhitelist
+/bin/bwrap exactwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf

@@ -0,0 +1,8 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+chrome-sandbox matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf

@@ -0,0 +1,8 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+dbus-daemon-launch-helper matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf

@@ -0,0 +1,11 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## There is a controversy about firejail but those who choose to install it
+## should be able to use it.
+## https://www.whonix.org/wiki/Dev/Firejail#Security
+/usr/bin/firejail exactwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf

@@ -0,0 +1,10 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## required for AppImages such as electrum Bitcoin wallet
+## https://forums.whonix.org/t/disable-suid-binaries/7706/57
+/fusermount matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf

@@ -0,0 +1,9 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+libhardened_malloc.so matchwhitelist
+libhardened_malloc-light.so matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_mount.conf

@@ -0,0 +1,21 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+## Protect from 'chmod -x' (and SUID removal).
+## SUID will be removed below in separate step.
+/bin/mount exactwhitelist
+/usr/bin/mount exactwhitelist
+/bin/umount exactwhitelist
+/usr/bin/umount exactwhitelist
+
+## Remove SUID from 'mount' but keep executable.
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+/bin/mount 755 root root
+/usr/bin/mount 755 root root
+/bin/umount 755 root root
+/usr/bin/umount 755 root root

usr/lib/permission-hardener.d/25_default_whitelist_pam.conf

@@ -0,0 +1,9 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## Without this, Xfce fails to start with a dbus-launch error.
+pam-tmpdir-helper matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf

@@ -0,0 +1,17 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+/usr/bin/pkexec exactwhitelist
+/bin/pkexec exactwhitelist
+/usr/bin/pkexec.security-misc-orig exactwhitelist
+/bin/pkexec.security-misc-orig exactwhitelist
+
+## TODO: research
+## match both:
+#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
+#/lib/policykit-1/polkit-agent-helper-1
+polkit-agent-helper-1 matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf

@@ -0,0 +1,9 @@
+## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+postqueue matchwhitelist
+postdrop matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf

@@ -0,0 +1,18 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## TODO: research
+## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
+##
+## Qubes upstream security issue:
+## qfile-unpacker allows unprivileged users in VMs to gain root privileges
+## https://github.com/QubesOS/qubes-issues/issues/8633
+##
+## match both:
+#/usr/lib/qubes/qfile-unpacker whitelist
+#/lib/qubes/qfile-unpacker
+qfile-unpacker matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf

@@ -0,0 +1,8 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+/utempter/utempter matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_spice.conf

@@ -0,0 +1,8 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+spice-client-glib-usb-acl-helper matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf

@@ -0,0 +1,11 @@
+## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## TODO: research
+ssh-agent matchwhitelist
+ssh-keysign matchwhitelist
+/lib/openssh matchwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf

@@ -0,0 +1,9 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+/usr/bin/sudo exactwhitelist
+/bin/sudo exactwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf

@@ -0,0 +1,11 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## required for performing password validation from unprivileged user
+## processes such as KScreenLocker's unlock prompt
+/usr/sbin/unix_chkpwd exactwhitelist
+/sbin/unix_chkpwd exactwhitelist

usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf

@@ -0,0 +1,16 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## TODO: research
+/usr/lib/virtualbox/ matchwhitelist
+/lib/virtualbox/ matchwhitelist
+VirtualBoxVM matchwhitelist
+VBoxSDL matchwhitelist
+VBoxNetNAT matchwhitelist
+VBoxNetDHCP matchwhitelist
+VBoxHeadless matchwhitelist
+VBoxNetAdpCtl matchwhitelist

usr/lib/permission-hardener.d/30_default.conf

@@ -0,0 +1,122 @@
+## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+## File permission hardening.
+##
+## Syntax:
+## [filename] [mode] [owner] [group] [capability]
+## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid]
+##
+## TODO: white spaces inside file name untested and probably will not work.
+
+######################################################################
+# Global Settings
+######################################################################
+
+#whitelists_disable_all=true
+
+######################################################################
+# SUID disables below (or in lexically higher) files: disablewhitelist
+######################################################################
+
+## For example, if you are not using SELinux the following might make sense to
+## enable. TODO: research
+#/utempter/utempter disablewhitelist
+
+## If you are not going to use AppImages such as electrum Bitcoin wallet.
+#/fusermount disablewhitelist
+
+######################################################################
+# SUID whitelist matches full path: exactwhitelist
+######################################################################
+
+## In case you need to use 'su'. See also:
+## https://www.kicksecure.com/wiki/root#su
+#/usr/bin/su exactwhitelist
+
+## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html
+## https://lwn.net/Articles/590315/
+## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35
+#/usr/lib/xorg/Xorg.wrap whitelist
+
+######################################################################
+# SUID whitelist matches in any section of the path: matchwhitelist
+######################################################################
+
+## Examples below are already configured:
+#ssh-agent matchwhitelist
+#/usr/lib/openssh matchwhitelist
+
+######################################################################
+# Permission Hardening
+######################################################################
+
+/home/ 0755 root root
+/root/ 0700 root root
+/boot/ 0700 root root
+/etc/permission-hardener.d 0600 root root
+/usr/local/etc/permission-hardener.d 0600 root root
+/usr/lib/modules/ 0700 root root
+/usr/src 0700 root root
+/etc/cups/cupsd.conf 0400 root root
+/etc/syslog.conf 0600 root root
+/etc/ssh/sshd_config 0600 root root
+/etc/crontab 0600 root root
+/etc/cron.d 0700 root root
+/etc/cron.daily 0700 root root
+/etc/sudoers.d 0700 root root
+/etc/cron.hourly 0700 root root
+/etc/cron.weekly 0700 root root
+/etc/cron.monthly 0700 root root
+/etc/group 0644 root root
+/etc/group- 0644 root root
+/etc/hosts.allow 0644 root root
+/etc/hosts.deny 0644 root root
+/etc/issue 0644 root root
+/etc/issue.net 0644 root root
+/etc/motd 0644 root root
+/etc/passwd 0644 root root
+/etc/passwd- 0644 root root
+
+######################################################################
+# SUID/SGID Removal: nosuid
+######################################################################
+
+## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
+## argument.
+##
+## Remove all SUID/SGID binaries/libraries.
+
+/opt/ nosuid
+/usr/bin/ nosuid
+/usr/lib32/ nosuid
+/usr/lib64/ nosuid
+/usr/lib/ nosuid
+/usr/local/bin/ nosuid
+/usr/local/lib32/ nosuid
+/usr/local/lib64/ nosuid
+/usr/local/lib/ nosuid
+/usr/local/opt/ nosuid
+/usr/local/sbin/ nosuid
+/usr/local/usr/bin/ nosuid
+/usr/local/usr/lib32/ nosuid
+/usr/local/usr/lib64/ nosuid
+/usr/local/usr/lib/ nosuid
+/usr/local/usr/sbin/ nosuid
+/usr/sbin/ nosuid
+
+######################################################################
+# Capability Removal
+######################################################################
+
+## Ping doesn't work with Tor anyway so its capabilities are removed to
+## reduce attack surface.
+## anon-apps-config does this.
+#/usr/bin/ping 0744 root root none
+
+## TODO: research
+#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none