Merge branch 'master' into panic_limits

usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## called by dracut
+check() {
+  require_binaries /run/emerg-shutdown || return 1
+  return 255
+}
+
+## called by dracut
+depends() {
+  echo 'systemd bash'
+  return 0
+}
+
+## called by dracut
+install() {
+  local config_file
+
+  inst systemd-notify
+
+  inst_simple /usr/libexec/security-misc/emerg-shutdown
+  inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service
+  inst_simple /run/emerg-shutdown /emerg-shutdown
+
+  for config_file in /etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+  for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
+    if [ -f "${config_file}" ]; then
+      inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf
+      break
+    fi
+  done
+
+  mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants"
+  ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service"
+}
+
+## called by dracut
+installkernel () {
+  hostonly='' instmods evdev
+}

usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf

@@ -6,14 +6,14 @@
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## Used for SSH client key management
-## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
+## https://manpages.debian.org/ssh-agent
 ## Debian installs ssh-agent with setgid permissions (2755) and with
 ## _ssh as the group to help mitigate ptrace attacks that could extract
 ## private keys from the agent's memory.
 ssh-agent matchwhitelist
 
 ## Used only for SSH host-based authentication
-## https://linux.die.net/man/8/ssh-keysign
+## https://manpages.debian.org/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.

usr/lib/sysctl.d/990-security-misc.conf

@@ -202,19 +202,17 @@ kernel.perf_event_paranoid=3
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
+## Note this was already disabled by default as of Linux kernel 6.2.
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
 ## KSPP=yes
 ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
 ##
-## TODO: Debian 13 Trixie
-## This is disabled by default when using Linux kernel >= 6.2.
-##
 dev.tty.legacy_tiocsti=0
 
 ## Disable asynchronous I/O for all processes.
-## Leading cause of numerous kernel exploits.
+## Use of io_uring has been the leading cause of numerous kernel exploits.
 ## Disabling will reduce the read/write performance of storage devices.
 ##
 ## https://en.wikipedia.org/wiki/Io_uring#Security
@@ -223,9 +221,6 @@ dev.tty.legacy_tiocsti=0
 ## https://github.com/moby/moby/pull/46762
 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
-##
 kernel.io_uring_disabled=2
 
 ## 2. User Space:

usr/lib/systemd/system-preset/50-security-misc.preset

@@ -18,7 +18,11 @@ disable proc-hidepid.service
 ## https://github.com/Kicksecure/security-misc/issues/159
 disable harden-module-loading.service
 
+## TODO: polish, test
 ## Disable due to timing difficulties. See:
 ## https://github.com/systemd/systemd/issues/38261#issuecomment-3134580852
 disable ensure-shutdown.service
 disable ensure-shutdown-trigger.service
+
+## TODO: Disabled due to bug: breaks ISO Live Mode Calamares installer
+disable emerg-shutdown.service

usr/lib/systemd/system/emerg-shutdown.service

@@ -6,10 +6,10 @@ Description=Emergency shutdown when boot media is removed
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
-Requires=local-fs.service
-After=local-fs.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
+Requires=local-fs.target
+After=local-fs.target
 
 [Service]
 Type=notify

usr/lib/systemd/system/ensure-shutdown.service

@@ -9,8 +9,8 @@ Description=Forcibly shut down the system if normal shutdown gets stuck
 Documentation=https://github.com/Kicksecure/security-misc
 DefaultDependencies=no
 Before=sysinit.target
-Requires=udev.service
-After=udev.service
+Requires=systemd-udevd.service
+After=systemd-udevd.service
 Wants=emerg-shutdown.service
 After=emerg-shutdown.service