From ca257164105c4f66576024b64c52a42921455d16 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 15 Jan 2025 09:44:48 -0500
Subject: [PATCH] improve permission hardener migration code

---
 debian/security-misc.config | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 debian/security-misc.config

diff --git a/debian/security-misc.config b/debian/security-misc.config
old mode 100644
new mode 100755
index 95684bc..d8f4506
--- a/debian/security-misc.config
+++ b/debian/security-misc.config
@@ -22,7 +22,7 @@ true "
 "
 
 check_migrate_permission_hardener_state() {
-   local modified_pkg_data_str custom_hardening_arr config_file
+   local pkg_list modified_pkg_data_str custom_hardening_arr config_file
 
    ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
    if [ ! -d '/var/lib/permission-hardener' ]; then
@@ -35,6 +35,8 @@ check_migrate_permission_hardener_state() {
    fi
    mkdir --parents '/var/lib/security-misc/do_once'
 
+   source /usr/libexec/helper-scripts/package_installed_check.bsh
+
    orig_hardening_arr=(
       '/usr/lib/permission-hardener.d/25_default_passwd.conf'
       '/usr/lib/permission-hardener.d/25_default_sudo.conf'
@@ -84,11 +86,24 @@ check_migrate_permission_hardener_state() {
       '/etc/permission-hardener.d/30_default.conf'
    )
 
+   pkg_list="security-misc"
+   if pkg_installed user-sysmaint-split ; then
+      pkg_list+=" user-sysmaint-split"
+   fi
+   if pkg_installed anon-apps-config ; then
+      pkg_list+=" anon-apps-config"
+   fi
+
    ## This will exit non-zero if some of the packages don't exist, but we
    ## don't care. The packages that *are* installed will still be scanned.
-   modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true
+   modified_pkg_data_str="$(dpkg --verify $pkg_list)" || true
+
+   ## Example modified_pkg_data_str:
+   #modified_pkg_data_str='missing     /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+
    readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")
-   ## If the above `dpkg -V` command doesn't return any permission-hardener
+
+   ## If the above `dpkg --verify` command doesn't return any permission-hardener
    ## related lines, the array will contain no meaningful info, just a single
    ## blank element at the start. Set the array to be explicitly empty in
    ## this scenario.
@@ -113,7 +128,11 @@ check_migrate_permission_hardener_state() {
 
    if [ "${#custom_hardening_arr[@]}" != '0' ]; then
       for custom_config_file in "${custom_hardening_arr[@]}"; do
-         echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'"
+         if ! test -e "${custom_config_file}" ; then
+            echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'"
+         else
+            echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'"
+         fi
       done
       ## db_input will return code 30 if the message won't be displayed, which
       ## causes a non-interactive install to error out if you don't use || true