From 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Wed, 21 Feb 2024 20:37:34 +0100 Subject: [PATCH 1/2] Allow access to /sys/fs for polkit --- usr/libexec/security-misc/hide-hardware-info | 29 ++++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index b55441f..4ed2aca 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -80,6 +80,23 @@ do fi done +## restrict permissions on everything but +## what is needed +for i in /sys/* /sys/fs/* +do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" || true + else + chmod og-rwx "${i}" || true + fi +done + +## polkit needs stat access to /sys/fs/cgroup +## to function properly +chmod o+rx /sys /sys/fs + ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else ## SELinux userspace utilities will not function @@ -88,18 +105,6 @@ if [ -d /sys/fs/selinux ]; then echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" echo "https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* - do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true - else - chmod og-rwx "${i}" || true - fi - done chmod o+rx /sys /sys/fs /sys/fs/selinux echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." else From ef44ecea44ee516b1ba92175eb78b2e8143c4502 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Thu, 22 Feb 2024 16:51:23 +0100 Subject: [PATCH 2/2] Add option to disabe /sys hardening --- etc/hide-hardware-info.d/30_default.conf | 3 + usr/libexec/security-misc/hide-hardware-info | 73 +++++++++++--------- 2 files changed, 43 insertions(+), 33 deletions(-) diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index df6952e..ffda4de 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -7,6 +7,9 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 +## Disable /sys hardening. +#sysfs=0 + ## Disable selinux mode. ## https://www.whonix.org/wiki/Security-misc#selinux #selinux=0 diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 4ed2aca..810433b 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -8,6 +8,8 @@ set -e sysfs_whitelist=1 cpuinfo_whitelist=1 +sysfs=1 + ## https://www.whonix.org/wiki/Security-misc#selinux selinux=0 @@ -53,12 +55,14 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys do if [ -e "${i}" ]; then if [ "${i}" = "/sys" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - chmod og-rwx /sys - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + if [ "${sysfs}" = "1" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + chmod og-rwx /sys + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + fi fi elif [ "${i}" = "/proc/cpuinfo" ]; then ## Whitelist for /proc/cpuinfo. @@ -80,34 +84,37 @@ do fi done -## restrict permissions on everything but -## what is needed -for i in /sys/* /sys/fs/* -do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true - else - chmod og-rwx "${i}" || true - fi -done -## polkit needs stat access to /sys/fs/cgroup -## to function properly -chmod o+rx /sys /sys/fs +if [ "${sysfs}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* + do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" || true + else + chmod og-rwx "${i}" || true + fi + done -## on SELinux systems, at least /sys/fs/selinux -## must be visible to unprivileged users, else -## SELinux userspace utilities will not function -## properly -if [ -d /sys/fs/selinux ]; then - echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" - echo "https://www.kicksecure.com/wiki/Security-misc#selinux" - if [ "${selinux}" = "1" ]; then - chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + ## polkit needs stat access to /sys/fs/cgroup + ## to function properly + chmod o+rx /sys /sys/fs + + ## on SELinux systems, at least /sys/fs/selinux + ## must be visible to unprivileged users, else + ## SELinux userspace utilities will not function + ## properly + if [ -d /sys/fs/selinux ]; then + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" + if [ "${selinux}" = "1" ]; then + chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi fi fi