Merge branch 'Kicksecure:master' into erst

changelog.upstream

@@ -1,3 +1,117 @@
+commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264
+Merge: 5159de6 109c013
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Jun 13 15:09:52 2025 -0400
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx'
+
+commit 109c0134677d991c449aa009773cb22babeee8db
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Thu Jun 12 01:08:34 2025 -0500
+
+    Add comment related to approx package caching proxy
+
+commit 5159de63438e8c1274658e7175a80fb693d6554a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed May 28 13:48:11 2025 +0000
+
+    bumped changelog version
+
+commit 3e102df76583a14b5efc18238aefbf539ab0d8a1
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed May 28 08:37:03 2025 -0400
+
+    fix
+
+commit d5edc243ac2db861f1600d3906a02494eaf9a824
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed May 28 12:12:00 2025 +0000
+
+    bumped changelog version
+
+commit eda1d0aef640af1ea73c72d6caa876733de4e5a0
+Merge: e966774 5a10ad0
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed May 28 07:22:16 2025 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa
+Merge: e966774 3559bc8
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed May 28 07:21:31 2025 -0400
+
+    Merge pull request #307 from maybebyte/ssh-agent-to-allowlist
+    
+    fix(permission-hardener): ssh-agent gets 2755 perms
+
+commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0
+Author: Ashlen <dev@anthes.is>
+Date:   Tue May 27 15:32:41 2025 -0600
+
+    fix(permission-hardener): ssh-agent gets 2755 perms
+    
+    Change from exactwhitelist to matchwhitelist. Discussion revealed that
+    there's a good reason to leave setgid in here, which is essentially
+    defense-in-depth (sometimes users may want to revert Kicksecure's
+    default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and
+    Kicksecure should not be less secure than vanilla Debian in that
+    situation).
+
+commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90
+Merge: 017ee29 e966774
+Author: maybebyte <99762926+maybebyte@users.noreply.github.com>
+Date:   Tue May 27 20:33:07 2025 +0000
+
+    Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist
+
+commit e96677486201ebddc145af7962ad5e89f6fa253b
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue May 27 19:41:25 2025 +0000
+
+    bumped changelog version
+
+commit 017ee29eb39d84edc89f128a633a619cad852241
+Merge: 7a079c3 abb2207
+Author: maybebyte <99762926+maybebyte@users.noreply.github.com>
+Date:   Tue May 27 18:25:47 2025 +0000
+
+    Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist
+
+commit 5195977be474e29a29b6392306e909e9f2d05ada
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue May 27 11:57:21 2025 -0400
+
+    protect against grep pipefail
+
+commit abb2207313810966dad381c3a9f637c445a5834d
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue May 27 15:51:50 2025 +0000
+
+    bumped changelog version
+
+commit 45016146f7c77d383f2254d19dc66ba9b883b8f2
+Merge: ace45d7 395169f
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue May 27 11:03:23 2025 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff
+Merge: ace45d7 e14b81b
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue May 27 10:58:50 2025 -0400
+
+    Merge pull request #308 from maybebyte/permission-hardener-speedboost
+    
+    perf(permission-hardener): optimize string match
+
+commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed May 21 22:06:02 2025 +0000
+
+    bumped changelog version
+
 commit 142ea2118989faddafa17db48efed379c4ac3f45
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:42:16 2025 -0400
@@ -116,6 +230,60 @@ Date:   Wed May 21 06:55:09 2025 -0400
 
     pam-info: fix, consistently write errors and warnings to stderr
 
+commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12
+Author: Ashlen <dev@anthes.is>
+Date:   Tue May 20 21:34:03 2025 -0600
+
+    perf(permission-hardener): optimize string match
+    
+    Replace subprocess grep calls with bash substring matching in
+    check_nosuid_whitelist function. This eliminates ~10k unneeded
+    subprocess spawns that were causing significant performance
+    degradation.
+    
+    In testing, it improves overall script execution speed by an
+    order of magnitude:
+    
+    Before patch:
+    $ sudo hyperfine -- './permission-hardener enable'
+    Benchmark 1: ./permission-hardener enable
+      Time (mean ± σ):     11.906 s ±  0.974 s    [User: 3.639 s, System: 8.728 s]
+      Range (min … max):   10.430 s … 14.090 s    10 runs
+    
+    After patch:
+    $ sudo hyperfine -- './permission-hardener enable'
+    Benchmark 1: ./permission-hardener enable
+      Time (mean ± σ):     802.8 ms ± 178.5 ms    [User: 283.0 ms, System: 471.9 ms]
+      Range (min … max):   639.4 ms … 1092.3 ms    10 runs
+
+commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386
+Author: Ashlen <dev@anthes.is>
+Date:   Tue May 20 18:41:48 2025 -0600
+
+    fix(permission-hardener): add exactwhitelist here
+    
+    Without this, the permissions for ssh-agent won't be changed properly.
+
+commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb
+Author: Ashlen <dev@anthes.is>
+Date:   Tue May 20 17:07:51 2025 -0600
+
+    fix(permission-hardener): ssh-agent gets 755 perms
+    
+    Replace the commented-out matchwhitelist entry for ssh-agent with an
+    explicit permission entry (755) for /usr/bin/ssh-agent.
+    
+    When ssh-agent's matchwhitelist entry was commented out in commit
+    7a5f8b87af, permission-hardener began resetting it to restrictive
+    defaults (744), preventing non-root users from executing ssh-agent. This
+    broke split SSH functionality in Qubes OS for me because I was using
+    Kicksecure in the vault qube, and ssh-agent runs under a non-root user in
+    that configuration (see https://forum.qubes-os.org/t/split-ssh/19060).
+    
+    As noted in the comment, Debian installs with 2755 permissions as a way
+    to mitigate ptrace attacks, but this rationale doesn't apply due to
+    kernel.yama.ptrace_scope=2 being set in Kicksecure.
+
 commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue May 20 11:40:27 2025 +0000

debian/changelog

@@ -1,3 +1,33 @@
+security-misc (3:46.2-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 14 Jun 2025 11:51:44 +0000
+
+security-misc (3:46.1-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 28 May 2025 13:48:11 +0000
+
+security-misc (3:46.0-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 28 May 2025 12:12:00 +0000
+
+security-misc (3:45.9-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 27 May 2025 19:41:25 +0000
+
+security-misc (3:45.8-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 27 May 2025 15:51:50 +0000
+
 security-misc (3:45.7-1) unstable; urgency=medium
 
   * New upstream version (local package).

usr/bin/permission-hardener

@@ -256,8 +256,7 @@ check_nosuid_whitelist() {
   [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1
 
   for match_white_list_entry in "${policy_match_white_list[@]:-}"; do
-    if safe_echo "${target_file}" \
-      | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then
+    if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then
       return 1
     fi
   done
@@ -627,7 +626,7 @@ commit_policy() {
     else
       if ! capsh --print \
         | grep --fixed-strings -- "Bounding set" \
-        | grep --quiet -- "${policy_capability_item}"; then
+        | grep -- "${policy_capability_item}" >/dev/null; then
         log error \
           "Capability from config does not exist: '${policy_capability_item}'" \
           >&2

usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf

@@ -5,11 +5,17 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## Used for SSH client key management
+## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
+## Debian installs ssh-agent with setgid permissions (2755) and with
+## _ssh as the group to help mitigate ptrace attacks that could extract
+## private keys from the agent's memory.
+ssh-agent matchwhitelist
+
 ## Used only for SSH host-based authentication
 ## https://linux.die.net/man/8/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.
-#ssh-agent matchwhitelist
 #ssh-keysign matchwhitelist
 #/usr/lib/openssh matchwhitelist

usr/libexec/security-misc/pam-info

@@ -111,6 +111,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then
    fi
 fi
 
+kernel_cmdline=""
 if test -f /proc/cmdline; then
    kernel_cmdline="$(cat -- /proc/cmdline)"
 fi

usr/libexec/security-misc/permission-lockdown

@@ -25,6 +25,7 @@
 # /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
 # /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
 # /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
+# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx"
 # /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
 # /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
 # /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"