Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-26 18:29:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2024-02-26 07:48:19 -05:00
commit bc8f9edc31
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 45 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/hide-hardware-info.d/30_default.conf
View File

@ -7,6 +7,9 @@
## Disable the /proc/cpuinfo whitelist. ## Disable the /proc/cpuinfo whitelist.
#cpuinfo_whitelist=0 #cpuinfo_whitelist=0
## Disable /sys hardening.
#sysfs=0
## Disable selinux mode. ## Disable selinux mode.
## https://www.whonix.org/wiki/Security-misc#selinux ## https://www.whonix.org/wiki/Security-misc#selinux
#selinux=0 #selinux=0

28
usr/libexec/security-misc/hide-hardware-info
View File

@ -8,6 +8,8 @@ set -e
sysfs_whitelist=1 sysfs_whitelist=1
cpuinfo_whitelist=1 cpuinfo_whitelist=1
sysfs=1
## https://www.whonix.org/wiki/Security-misc#selinux ## https://www.whonix.org/wiki/Security-misc#selinux
selinux=0 selinux=0
@ -53,6 +55,7 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
do do
if [ -e "${i}" ]; then if [ -e "${i}" ]; then
if [ "${i}" = "/sys" ]; then if [ "${i}" = "/sys" ]; then
if [ "${sysfs}" = "1" ]; then
## Whitelist for /sys. ## Whitelist for /sys.
if [ "${sysfs_whitelist}" = "1" ]; then if [ "${sysfs_whitelist}" = "1" ]; then
create_whitelist sysfs create_whitelist sysfs
@ -60,6 +63,7 @@ do
chmod og-rwx /sys chmod og-rwx /sys
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
fi fi
fi
elif [ "${i}" = "/proc/cpuinfo" ]; then elif [ "${i}" = "/proc/cpuinfo" ]; then
## Whitelist for /proc/cpuinfo. ## Whitelist for /proc/cpuinfo.
if [ "${cpuinfo_whitelist}" = "1" ]; then if [ "${cpuinfo_whitelist}" = "1" ]; then
@ -80,14 +84,8 @@ do
fi fi
done done
## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else if [ "${sysfs}" = "1" ]; then
## SELinux userspace utilities will not function
## properly
if [ -d /sys/fs/selinux ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then
## restrict permissions on everything but ## restrict permissions on everything but
## what is needed ## what is needed
for i in /sys/* /sys/fs/* for i in /sys/* /sys/fs/*
@ -100,9 +98,23 @@ if [ -d /sys/fs/selinux ]; then
chmod og-rwx "${i}" || true chmod og-rwx "${i}" || true
fi fi
done done
## polkit needs stat access to /sys/fs/cgroup
## to function properly
chmod o+rx /sys /sys/fs
## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else
## SELinux userspace utilities will not function
## properly
if [ -d /sys/fs/selinux ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then
chmod o+rx /sys /sys/fs /sys/fs/selinux chmod o+rx /sys /sys/fs /sys/fs/selinux
echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
else else
echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
fi fi
fi fi
fi