Fix minor migration bugs, don't run the migration code on new image builds

debian/make-helper-overrides.bsh

@@ -4,4 +4,4 @@
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24
-genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file"
+genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation"

debian/security-misc.config

@@ -8,61 +8,99 @@ source /usr/share/debconf/confmodule
 set -e
 
 check_migrate_permission_hardener_state() {
-   local orig_hardening_arr custom_hardening_arr config_file
+   local orig_hardening_arr custom_hardening_arr config_file custom_config_file
    if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
      return 0
    fi
    mkdir --parents '/var/lib/security-misc/do_once'
 
-   # TODO: Is there some way to autogenerate this list at runtime?
-   orig_hardening_arr=(
-      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
-      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
-      '/usr/lib/permission-hardener.d/30_ping.conf'
-      '/usr/lib/permission-hardener.d/30_default.conf'
-   )
-   readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+   if [ -d '/var/lib/permission-hardener' ]; then
+      orig_hardening_arr=(
+         '/usr/lib/permission-hardener.d/25_default_passwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_sudo.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+         '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+         '/usr/lib/permission-hardener.d/30_ping.conf'
+         '/usr/lib/permission-hardener.d/30_default.conf'
+         '/etc/permission-hardener.d/25_default_passwd.conf'
+         '/etc/permission-hardener.d/25_default_sudo.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_mount.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_pam.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_spice.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+         '/etc/permission-hardener.d/20_user-sysmaint-split.conf'
+         '/etc/permission-hardener.d/30_ping.conf'
+         '/etc/permission-hardener.d/30_default.conf'
+      )
 
-   for config_file in \
-      /usr/lib/permission-hardener.d/*.conf \
-      /etc/permission-hardener.d/*.conf \
-      /usr/local/etc/permission-hardener.d/*.conf \
-      /etc/permission-hardening.d/*.conf \
-      /usr/local/etc/permission-hardening.d/*.conf
-   do
-      # shellcheck disable=SC2076
-      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
-         custom_hardening_arr+=( "${config_file}" )
+      readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+      ## If the above `dpkg -V` command doesn't return any permission-hardener
+      ## related lines, the array will contain no meaningful info, just a single
+      ## blank element at the start. Set the array to be explicitly empty in
+      ## this scenario.
+      if [ -z "${custom_hardening_arr[0]}" ]; then
+         custom_hardening_arr=()
+      fi
+
+      for config_file in \
+         /usr/lib/permission-hardener.d/*.conf \
+         /etc/permission-hardener.d/*.conf \
+         /usr/local/etc/permission-hardener.d/*.conf \
+         /etc/permission-hardening.d/*.conf \
+         /usr/local/etc/permission-hardening.d/*.conf
+      do
+         # shellcheck disable=SC2076
+         if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
+            if [ -f "${config_file}" ]; then
+               custom_hardening_arr+=( "${config_file}" )
+            fi
+         fi
+      done
+
+      if [ "${#custom_hardening_arr[@]}" != '0' ]; then
+         for custom_config_file in "${custom_hardening_arr[@]}"; do
+            echo "INFO: Possible custom configuration file found: '${custom_config_file}'"
+         done
+         ## db_input will return code 30 if the message won't be displayed, which
+         ## causes a non-interactive install to error out if you don't use || true
+         db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
+         ## db_go can return code 30 too in some instances, we don't care here
+         # shellcheck disable=SC2119
+         db_go || true
       fi
-   done
 
-   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
-      ## db_input will return code 30 if the message won't be displayed, which
-      ## causes a non-interactive install to error out if you don't use || true
-      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
-      ## db_go can return code 30 too in some instances, we don't care here
-      # shellcheck disable=SC2119
-      db_go || true
    fi
-
    touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
 }
 

debian/security-misc.postinst

@@ -38,51 +38,16 @@ permission_hardening() {
 }
 
 migrate_permission_hardener_state() {
-   local v2_state_file
-
    if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
      return 0
    fi
    mkdir --parents '/var/lib/security-misc/do_once'
 
-   ## This has to be stored in the postinst rather than installed by the
-   ## package, because permission-hardener *will* change it and we *cannot*
-   ## allow future package updates to overwrite it.
-   v2_state_file="root root 644 /etc/passwd-
-root root 755 /etc/cron.monthly
-root root 755 /etc/sudoers.d
-root shadow 2755 /usr/bin/expiry
-root root 4755 /usr/bin/umount
-root root 4755 /usr/bin/gpasswd
-root root 755 /usr/lib/modules
-root root 644 /etc/issue.net
-root root 644 /etc/group-
-root root 4755 /usr/bin/newgrp
-root root 755 /etc/cron.weekly
-root root 644 /etc/hosts.deny
-root root 4755 /usr/bin/su
-root root 644 /etc/hosts.allow
-root root 700 /root
-root root 755 /etc/cron.daily
-root root 755 /bin/ping
-root root 777 /etc/motd
-root root 755 /boot
-root root 755 /home
-root shadow 2755 /usr/bin/chage
-root root 4755 /usr/bin/chsh
-root root 4755 /usr/bin/passwd
-root root 4755 /usr/bin/chfn
-root root 644 /etc/group
-root root 755 /etc/permission-hardener.d
-root root 644 /etc/passwd
-root root 755 /usr/src
-root root 4755 /usr/bin/mount
-root root 777 /etc/issue
-root root 755 /etc/cron.d"
+   if [ -d '/var/lib/permission-hardener' ]; then
+      mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
+      cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
+   fi
 
-   ## Not using sponge since moreutils might not be installed at this point.
-   mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
-   echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride'
    touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
 }
 

usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded

@@ -0,0 +1,33 @@
+root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 755 /bin/ping
+root root 777 /etc/motd
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/bin/chsh
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 755 /etc/permission-hardener.d
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 777 /etc/issue
+root root 755 /etc/cron.d
+root root 4755 /usr/bin/sudo
+root root 4755 /usr/bin/pkexec