Merge pull request #204 from DanWin/sysfs-mount

Make /sys hardening optional and allow access to /sys/fs to make polkit work
This commit is contained in:
Patrick Schleizer 2024-02-26 07:46:02 -05:00 committed by GitHub
commit b23d167342
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 30 deletions

View File

@ -7,6 +7,9 @@
## Disable the /proc/cpuinfo whitelist. ## Disable the /proc/cpuinfo whitelist.
#cpuinfo_whitelist=0 #cpuinfo_whitelist=0
## Disable /sys hardening.
#sysfs=0
## Disable selinux mode. ## Disable selinux mode.
## https://www.whonix.org/wiki/Security-misc#selinux ## https://www.whonix.org/wiki/Security-misc#selinux
#selinux=0 #selinux=0

View File

@ -8,6 +8,8 @@ set -e
sysfs_whitelist=1 sysfs_whitelist=1
cpuinfo_whitelist=1 cpuinfo_whitelist=1
sysfs=1
## https://www.whonix.org/wiki/Security-misc#selinux ## https://www.whonix.org/wiki/Security-misc#selinux
selinux=0 selinux=0
@ -53,12 +55,14 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
do do
if [ -e "${i}" ]; then if [ -e "${i}" ]; then
if [ "${i}" = "/sys" ]; then if [ "${i}" = "/sys" ]; then
## Whitelist for /sys. if [ "${sysfs}" = "1" ]; then
if [ "${sysfs_whitelist}" = "1" ]; then ## Whitelist for /sys.
create_whitelist sysfs if [ "${sysfs_whitelist}" = "1" ]; then
else create_whitelist sysfs
chmod og-rwx /sys else
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." chmod og-rwx /sys
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
fi
fi fi
elif [ "${i}" = "/proc/cpuinfo" ]; then elif [ "${i}" = "/proc/cpuinfo" ]; then
## Whitelist for /proc/cpuinfo. ## Whitelist for /proc/cpuinfo.
@ -80,29 +84,37 @@ do
fi fi
done done
## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else if [ "${sysfs}" = "1" ]; then
## SELinux userspace utilities will not function ## restrict permissions on everything but
## properly ## what is needed
if [ -d /sys/fs/selinux ]; then for i in /sys/* /sys/fs/*
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" do
echo "https://www.kicksecure.com/wiki/Security-misc#selinux" ## Using '|| true':
if [ "${selinux}" = "1" ]; then ## https://github.com/Kicksecure/security-misc/pull/108
## restrict permissions on everything but if [ "${sysfs_whitelist}" = "1" ]; then
## what is needed chmod o-rwx "${i}" || true
for i in /sys/* /sys/fs/* else
do chmod og-rwx "${i}" || true
## Using '|| true': fi
## https://github.com/Kicksecure/security-misc/pull/108 done
if [ "${sysfs_whitelist}" = "1" ]; then
chmod o-rwx "${i}" || true ## polkit needs stat access to /sys/fs/cgroup
else ## to function properly
chmod og-rwx "${i}" || true chmod o+rx /sys /sys/fs
fi
done ## on SELinux systems, at least /sys/fs/selinux
chmod o+rx /sys /sys/fs /sys/fs/selinux ## must be visible to unprivileged users, else
echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." ## SELinux userspace utilities will not function
else ## properly
echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." if [ -d /sys/fs/selinux ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then
chmod o+rx /sys /sys/fs /sys/fs/selinux
echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
else
echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
fi
fi fi
fi fi