diff --git a/debian/security-misc.config b/debian/security-misc.config index 8513add..f08ea97 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -8,99 +8,101 @@ source /usr/share/debconf/confmodule set -e check_migrate_permission_hardener_state() { + if [ -d '/var/lib/permission-hardener' ]; then + return 0 + fi + local orig_hardening_arr custom_hardening_arr config_file custom_config_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - if [ -d '/var/lib/permission-hardener' ]; then - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - '/etc/permission-hardener.d/25_default_passwd.conf' - '/etc/permission-hardener.d/25_default_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' - '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' - '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' - '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' - '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/etc/permission-hardener.d/25_default_whitelist_mount.conf' - '/etc/permission-hardener.d/25_default_whitelist_pam.conf' - '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' - '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' - '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' - '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' - '/etc/permission-hardener.d/25_default_whitelist_spice.conf' - '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' - '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/etc/permission-hardener.d/20_user-sysmaint-split.conf' - '/etc/permission-hardener.d/30_ping.conf' - '/etc/permission-hardener.d/30_default.conf' - ) - - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') - ## If the above `dpkg -V` command doesn't return any permission-hardener - ## related lines, the array will contain no meaningful info, just a single - ## blank element at the start. Set the array to be explicitly empty in - ## this scenario. - if [ -z "${custom_hardening_arr[0]}" ]; then - custom_hardening_arr=() - fi - - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - if [ -f "${config_file}" ]; then - custom_hardening_arr+=( "${config_file}" ) - fi - fi - done - - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - for custom_config_file in "${custom_hardening_arr[@]}"; do - echo "INFO: Possible custom configuration file found: '${custom_config_file}'" - done - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true - fi + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + '/etc/permission-hardener.d/25_default_passwd.conf' + '/etc/permission-hardener.d/25_default_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' + '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' + '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' + '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' + '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/etc/permission-hardener.d/25_default_whitelist_mount.conf' + '/etc/permission-hardener.d/25_default_whitelist_pam.conf' + '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' + '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' + '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' + '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' + '/etc/permission-hardener.d/25_default_whitelist_spice.conf' + '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' + '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/etc/permission-hardener.d/20_user-sysmaint-split.conf' + '/etc/permission-hardener.d/30_ping.conf' + '/etc/permission-hardener.d/30_default.conf' + ) + readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## If the above `dpkg -V` command doesn't return any permission-hardener + ## related lines, the array will contain no meaningful info, just a single + ## blank element at the start. Set the array to be explicitly empty in + ## this scenario. + if [ -z "${custom_hardening_arr[0]}" ]; then + custom_hardening_arr=() fi + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + if [ -f "${config_file}" ]; then + custom_hardening_arr+=( "${config_file}" ) + fi + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + for custom_config_file in "${custom_hardening_arr[@]}"; do + echo "INFO: Possible custom configuration file found: '${custom_config_file}'" + done + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here + # shellcheck disable=SC2119 + db_go || true + fi + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" }