Merge remote-tracking branch 'github-kicksecure/master'

etc/hide-hardware-info.d/30_default.conf

@@ -7,6 +7,9 @@
 ## Disable the /proc/cpuinfo whitelist.
 #cpuinfo_whitelist=0
 
+## Disable /sys hardening.
+#sysfs=0
+
 ## Disable selinux mode.
 ## https://www.whonix.org/wiki/Security-misc#selinux
 #selinux=0

usr/libexec/security-misc/hide-hardware-info

@@ -8,6 +8,8 @@ set -e
 sysfs_whitelist=1
 cpuinfo_whitelist=1
 
+sysfs=1
+
 ## https://www.whonix.org/wiki/Security-misc#selinux
 selinux=0
 
@@ -53,12 +55,14 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
 do
   if [ -e "${i}" ]; then
     if [ "${i}" = "/sys" ]; then
-      ## Whitelist for /sys.
+      if [ "${sysfs}" = "1" ]; then
-      if [ "${sysfs_whitelist}" = "1" ]; then
+        ## Whitelist for /sys.
-        create_whitelist sysfs
+        if [ "${sysfs_whitelist}" = "1" ]; then
-      else
+          create_whitelist sysfs
-        chmod og-rwx /sys
+        else
-        echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
+          chmod og-rwx /sys
+          echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
+        fi
       fi
     elif [ "${i}" = "/proc/cpuinfo" ]; then
       ## Whitelist for /proc/cpuinfo.
@@ -80,29 +84,37 @@ do
   fi
 done
 
-## on SELinux systems, at least /sys/fs/selinux
+
-## must be visible to unprivileged users, else
+if [ "${sysfs}" = "1" ]; then
-## SELinux userspace utilities will not function
+  ## restrict permissions on everything but
-## properly
+  ## what is needed
-if [ -d /sys/fs/selinux ]; then
+  for i in /sys/* /sys/fs/*
-  echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
+  do
-  echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
+    ## Using '|| true':
-  if [ "${selinux}" = "1" ]; then
+    ## https://github.com/Kicksecure/security-misc/pull/108
-    ## restrict permissions on everything but
+    if [ "${sysfs_whitelist}" = "1" ]; then
-    ## what is needed
+      chmod o-rwx "${i}" || true
-    for i in /sys/* /sys/fs/*
+    else
-    do
+      chmod og-rwx "${i}" || true
-      ## Using '|| true':
+    fi
-      ## https://github.com/Kicksecure/security-misc/pull/108
+  done
-      if [ "${sysfs_whitelist}" = "1" ]; then
+
-        chmod o-rwx "${i}" || true
+  ## polkit needs stat access to /sys/fs/cgroup
-      else
+  ## to function properly
-        chmod og-rwx "${i}" || true
+  chmod o+rx /sys /sys/fs
-      fi
+
-    done
+  ## on SELinux systems, at least /sys/fs/selinux
-    chmod o+rx /sys /sys/fs /sys/fs/selinux
+  ## must be visible to unprivileged users, else
-    echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
+  ## SELinux userspace utilities will not function
-  else
+  ## properly
-    echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
+  if [ -d /sys/fs/selinux ]; then
+    echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
+    echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
+    if [ "${selinux}" = "1" ]; then
+      chmod o+rx /sys /sys/fs /sys/fs/selinux
+      echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
+    else
+      echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
+    fi
   fi
 fi