Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

improve output

Browse Source 
https://github.com/Kicksecure/security-misc/issues/172
This commit is contained in:
Patrick Schleizer 2024-02-26 07:52:41 -05:00
parent f2958bbfa5
commit cf84762a3a
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 17 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
usr/libexec/security-misc/hide-hardware-info
View File

@ -5,6 +5,13 @@
set -e
run_cmd() {
echo "INFO: executing: $@"
"$@"
}
echo "$0: INFO: START"
sysfs_whitelist=1
cpuinfo_whitelist=1
@ -36,9 +43,9 @@ create_whitelist() {
## Changing the permissions of /sys recursively
## causes errors as the permissions of /sys/kernel/debug
## and /sys/fs/cgroup cannot be changed.
chgrp -fR "${1}" "${whitelist_path}" || true
run_cmd chgrp -fR "${1}" "${whitelist_path}" || true
chmod o-rwx "${whitelist_path}"
run_cmd chmod o-rwx "${whitelist_path}"
else
echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created."
fi
@ -60,7 +67,7 @@ do
if [ "${sysfs_whitelist}" = "1" ]; then
create_whitelist sysfs
else
chmod og-rwx /sys
run_cmd chmod og-rwx /sys
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
fi
fi
@ -69,7 +76,7 @@ do
if [ "${cpuinfo_whitelist}" = "1" ]; then
create_whitelist cpuinfo
else
chmod og-rwx /proc/cpuinfo
run_cmd chmod og-rwx /proc/cpuinfo
echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly."
fi
else
@ -93,15 +100,15 @@ if [ "${sysfs}" = "1" ]; then
## Using '|| true':
## https://github.com/Kicksecure/security-misc/pull/108
if [ "${sysfs_whitelist}" = "1" ]; then
chmod o-rwx "${i}" || true
run_cmd chmod o-rwx "${i}" || true
else
chmod og-rwx "${i}" || true
run_cmd chmod og-rwx "${i}" || true
fi
done
## polkit needs stat access to /sys/fs/cgroup
## to function properly
chmod o+rx /sys /sys/fs
run_cmd chmod o+rx /sys /sys/fs
## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else
@ -111,10 +118,12 @@ if [ "${sysfs}" = "1" ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then
chmod o+rx /sys /sys/fs /sys/fs/selinux
run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux
echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
else
echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
fi
fi
fi
echo "$0: INFO: END"