Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-09 19:08:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

refactoring

Browse Source
This commit is contained in:
Patrick Schleizer 2025-01-14 03:17:00 -05:00
parent 69ae2d9ea0
commit b2a1a0ec9f
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 87 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
debian/security-misc.config vendored
View File

@ -8,99 +8,101 @@ source /usr/share/debconf/confmodule
set -e
check_migrate_permission_hardener_state() {
if [ -d '/var/lib/permission-hardener' ]; then
return 0
fi
local orig_hardening_arr custom_hardening_arr config_file custom_config_file
if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
return 0
fi
mkdir --parents '/var/lib/security-misc/do_once'
if [ -d '/var/lib/permission-hardener' ]; then
orig_hardening_arr=(
'/usr/lib/permission-hardener.d/25_default_passwd.conf'
'/usr/lib/permission-hardener.d/25_default_sudo.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
'/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
'/usr/lib/permission-hardener.d/30_ping.conf'
'/usr/lib/permission-hardener.d/30_default.conf'
'/etc/permission-hardener.d/25_default_passwd.conf'
'/etc/permission-hardener.d/25_default_sudo.conf'
'/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
'/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
'/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
'/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
'/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
'/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
'/etc/permission-hardener.d/25_default_whitelist_mount.conf'
'/etc/permission-hardener.d/25_default_whitelist_pam.conf'
'/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
'/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
'/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
'/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
'/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
'/etc/permission-hardener.d/25_default_whitelist_spice.conf'
'/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
'/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
'/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
'/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
'/etc/permission-hardener.d/20_user-sysmaint-split.conf'
'/etc/permission-hardener.d/30_ping.conf'
'/etc/permission-hardener.d/30_default.conf'
)
readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
## If the above `dpkg -V` command doesn't return any permission-hardener
## related lines, the array will contain no meaningful info, just a single
## blank element at the start. Set the array to be explicitly empty in
## this scenario.
if [ -z "${custom_hardening_arr[0]}" ]; then
custom_hardening_arr=()
fi
for config_file in \
/usr/lib/permission-hardener.d/*.conf \
/etc/permission-hardener.d/*.conf \
/usr/local/etc/permission-hardener.d/*.conf \
/etc/permission-hardening.d/*.conf \
/usr/local/etc/permission-hardening.d/*.conf
do
# shellcheck disable=SC2076
if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
if [ -f "${config_file}" ]; then
custom_hardening_arr+=( "${config_file}" )
fi
fi
done
if [ "${#custom_hardening_arr[@]}" != '0' ]; then
for custom_config_file in "${custom_hardening_arr[@]}"; do
echo "INFO: Possible custom configuration file found: '${custom_config_file}'"
done
## db_input will return code 30 if the message won't be displayed, which
## causes a non-interactive install to error out if you don't use || true
db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
## db_go can return code 30 too in some instances, we don't care here
# shellcheck disable=SC2119
db_go || true
fi
orig_hardening_arr=(
'/usr/lib/permission-hardener.d/25_default_passwd.conf'
'/usr/lib/permission-hardener.d/25_default_sudo.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
'/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
'/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
'/usr/lib/permission-hardener.d/30_ping.conf'
'/usr/lib/permission-hardener.d/30_default.conf'
'/etc/permission-hardener.d/25_default_passwd.conf'
'/etc/permission-hardener.d/25_default_sudo.conf'
'/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
'/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
'/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
'/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
'/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
'/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
'/etc/permission-hardener.d/25_default_whitelist_mount.conf'
'/etc/permission-hardener.d/25_default_whitelist_pam.conf'
'/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
'/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
'/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
'/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
'/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
'/etc/permission-hardener.d/25_default_whitelist_spice.conf'
'/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
'/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
'/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
'/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
'/etc/permission-hardener.d/20_user-sysmaint-split.conf'
'/etc/permission-hardener.d/30_ping.conf'
'/etc/permission-hardener.d/30_default.conf'
)
readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
## If the above `dpkg -V` command doesn't return any permission-hardener
## related lines, the array will contain no meaningful info, just a single
## blank element at the start. Set the array to be explicitly empty in
## this scenario.
if [ -z "${custom_hardening_arr[0]}" ]; then
custom_hardening_arr=()
fi
for config_file in \
/usr/lib/permission-hardener.d/*.conf \
/etc/permission-hardener.d/*.conf \
/usr/local/etc/permission-hardener.d/*.conf \
/etc/permission-hardening.d/*.conf \
/usr/local/etc/permission-hardening.d/*.conf
do
# shellcheck disable=SC2076
if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
if [ -f "${config_file}" ]; then
custom_hardening_arr+=( "${config_file}" )
fi
fi
done
if [ "${#custom_hardening_arr[@]}" != '0' ]; then
for custom_config_file in "${custom_hardening_arr[@]}"; do
echo "INFO: Possible custom configuration file found: '${custom_config_file}'"
done
## db_input will return code 30 if the message won't be displayed, which
## causes a non-interactive install to error out if you don't use || true
db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
## db_go can return code 30 too in some instances, we don't care here
# shellcheck disable=SC2119
db_go || true
fi
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}