Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-22 19:31:11 -04:00
Code Issues Projects Releases Packages Wiki Activity

improve output

Browse source 
https://github.com/Kicksecure/security-misc/issues/172
This commit is contained in:
Patrick Schleizer 2024-02-26 07:52:41 -05:00
parent f2958bbfa5
commit cf84762a3a
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
1 changed files with 17 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

25
usr/libexec/security-misc/hide-hardware-info
View file

@ -5,6 +5,13 @@
set -e set -e
run_cmd() {
echo "INFO: executing: $@"
"$@"
}
echo "$0: INFO: START"
sysfs_whitelist=1 sysfs_whitelist=1
cpuinfo_whitelist=1 cpuinfo_whitelist=1
@ -36,9 +43,9 @@ create_whitelist() {
## Changing the permissions of /sys recursively ## Changing the permissions of /sys recursively
## causes errors as the permissions of /sys/kernel/debug ## causes errors as the permissions of /sys/kernel/debug
## and /sys/fs/cgroup cannot be changed. ## and /sys/fs/cgroup cannot be changed.
chgrp -fR "${1}" "${whitelist_path}" || true run_cmd chgrp -fR "${1}" "${whitelist_path}" || true
chmod o-rwx "${whitelist_path}" run_cmd chmod o-rwx "${whitelist_path}"
else else
echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created."
fi fi
@ -60,7 +67,7 @@ do
if [ "${sysfs_whitelist}" = "1" ]; then if [ "${sysfs_whitelist}" = "1" ]; then
create_whitelist sysfs create_whitelist sysfs
else else
chmod og-rwx /sys run_cmd chmod og-rwx /sys
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
fi fi
fi fi
@ -69,7 +76,7 @@ do
if [ "${cpuinfo_whitelist}" = "1" ]; then if [ "${cpuinfo_whitelist}" = "1" ]; then
create_whitelist cpuinfo create_whitelist cpuinfo
else else
chmod og-rwx /proc/cpuinfo run_cmd chmod og-rwx /proc/cpuinfo
echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly."
fi fi
else else
@ -93,15 +100,15 @@ if [ "${sysfs}" = "1" ]; then
## Using '|| true': ## Using '|| true':
## https://github.com/Kicksecure/security-misc/pull/108 ## https://github.com/Kicksecure/security-misc/pull/108
if [ "${sysfs_whitelist}" = "1" ]; then if [ "${sysfs_whitelist}" = "1" ]; then
chmod o-rwx "${i}" || true run_cmd chmod o-rwx "${i}" || true
else else
chmod og-rwx "${i}" || true run_cmd chmod og-rwx "${i}" || true
fi fi
done done
## polkit needs stat access to /sys/fs/cgroup ## polkit needs stat access to /sys/fs/cgroup
## to function properly ## to function properly
chmod o+rx /sys /sys/fs run_cmd chmod o+rx /sys /sys/fs
## on SELinux systems, at least /sys/fs/selinux ## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else ## must be visible to unprivileged users, else
@ -111,10 +118,12 @@ if [ "${sysfs}" = "1" ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux" echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then if [ "${selinux}" = "1" ]; then
chmod o+rx /sys /sys/fs /sys/fs/selinux run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux
echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
else else
echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
fi fi
fi fi
fi fi
echo "$0: INFO: END"