Merge branch 'Kicksecure:master' into erst

2025-08-02 23:06:08 -04:00 · 2025-07-02 11:35:50 +10:00 · 2025-07-02 11:35:50 +10:00 · bb208fb134
commit bb208fb134
parent 4314b1e85b 115b6f6aa2
6 changed files with 209 additions and 4 deletions
--- a/usr/bin/permission-hardener
+++ b/usr/bin/permission-hardener
@ -256,8 +256,7 @@ check_nosuid_whitelist() {
  [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1

  for match_white_list_entry in "${policy_match_white_list[@]:-}"; do
-    if safe_echo "${target_file}" \
-      | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then
+    if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then
      return 1
    fi
  done
@ -627,7 +626,7 @@ commit_policy() {
    else
      if ! capsh --print \
        | grep --fixed-strings -- "Bounding set" \
-        | grep --quiet -- "${policy_capability_item}"; then
+        | grep -- "${policy_capability_item}" >/dev/null; then
        log error \
          "Capability from config does not exist: '${policy_capability_item}'" \
          >&2
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@ -5,11 +5,17 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.

+## Used for SSH client key management
+## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
+## Debian installs ssh-agent with setgid permissions (2755) and with
+## _ssh as the group to help mitigate ptrace attacks that could extract
+## private keys from the agent's memory.
+ssh-agent matchwhitelist
+
 ## Used only for SSH host-based authentication
 ## https://linux.die.net/man/8/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.
-#ssh-agent matchwhitelist
 #ssh-keysign matchwhitelist
 #/usr/lib/openssh matchwhitelist
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@ -111,6 +111,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then
   fi
 fi

+kernel_cmdline=""
 if test -f /proc/cmdline; then
   kernel_cmdline="$(cat -- /proc/cmdline)"
 fi
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@ -25,6 +25,7 @@
 # /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
 # /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
 # /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
+# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx"
 # /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
 # /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
 # /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"