Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-26 05:39:27 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #204 from DanWin/sysfs-mount

Browse Source 
Make /sys hardening optional and allow access to /sys/fs to make polkit work
This commit is contained in:
Patrick Schleizer 2024-02-26 07:46:02 -05:00 committed by GitHub
commit b23d167342
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/hide-hardware-info.d/30_default.conf
View File

@ -7,6 +7,9 @@
## Disable the /proc/cpuinfo whitelist.
#cpuinfo_whitelist=0
## Disable /sys hardening.
#sysfs=0
## Disable selinux mode.
## https://www.whonix.org/wiki/Security-misc#selinux
#selinux=0

28
usr/libexec/security-misc/hide-hardware-info
View File

@ -8,6 +8,8 @@ set -e
sysfs_whitelist=1
cpuinfo_whitelist=1
sysfs=1
## https://www.whonix.org/wiki/Security-misc#selinux
selinux=0
@ -53,6 +55,7 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
do
if [ -e "${i}" ]; then
if [ "${i}" = "/sys" ]; then
if [ "${sysfs}" = "1" ]; then
## Whitelist for /sys.
if [ "${sysfs_whitelist}" = "1" ]; then
create_whitelist sysfs
@ -60,6 +63,7 @@ do
chmod og-rwx /sys
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
fi
fi
elif [ "${i}" = "/proc/cpuinfo" ]; then
## Whitelist for /proc/cpuinfo.
if [ "${cpuinfo_whitelist}" = "1" ]; then
@ -80,14 +84,8 @@ do
fi
done
## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else
## SELinux userspace utilities will not function
## properly
if [ -d /sys/fs/selinux ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then
if [ "${sysfs}" = "1" ]; then
## restrict permissions on everything but
## what is needed
for i in /sys/* /sys/fs/*
@ -100,9 +98,23 @@ if [ -d /sys/fs/selinux ]; then
chmod og-rwx "${i}" || true
fi
done
## polkit needs stat access to /sys/fs/cgroup
## to function properly
chmod o+rx /sys /sys/fs
## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else
## SELinux userspace utilities will not function
## properly
if [ -d /sys/fs/selinux ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then
chmod o+rx /sys /sys/fs /sys/fs/selinux
echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
else
echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
fi
fi
fi