mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-27 16:40:53 -05:00
Merge branch 'master' into panic_limits
This commit is contained in:
raja-grewal
GitHub
commit
e48897cc44
27 changed files with 522 additions and 236 deletions
|
|
@ -1,46 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## TODO: Move this to helper-scripts.
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o errtrace
|
||||
set -o pipefail
|
||||
|
||||
command -v start-stop-daemon >/dev/null
|
||||
command -v timeout >/dev/null
|
||||
command -v apt-get >/dev/null
|
||||
|
||||
export LC_ALL=C
|
||||
pidfile="/run/helper-scripts/security-misc-apt-get-update-pid"
|
||||
|
||||
sigterm_trap() {
|
||||
/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
|
||||
exit 143
|
||||
}
|
||||
|
||||
## terminate potential previous invocations.
|
||||
/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null
|
||||
|
||||
trap "sigterm_trap" SIGTERM SIGINT
|
||||
|
||||
[[ -v timeout_after ]] || timeout_after="600"
|
||||
[[ -v kill_after ]] || kill_after="10"
|
||||
|
||||
start-stop-daemon \
|
||||
--make-pidfile \
|
||||
--pidfile "$pidfile" \
|
||||
--exec /usr/bin/timeout \
|
||||
--start \
|
||||
-- \
|
||||
--kill-after="$kill_after" \
|
||||
"$timeout_after" \
|
||||
apt-get update --error-on=any "$@" &
|
||||
|
||||
lastpid="$!"
|
||||
wait "$lastpid"
|
||||
|
||||
exit "$?"
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -x
|
||||
set -e
|
||||
set -o pipefail
|
||||
|
||||
if ! printf '%s\n' "" | wc -l >/dev/null ; then
|
||||
printf '%s\n' "\
|
||||
$0: ERROR: command 'wc' test failed! Do not ignore this!
|
||||
|
||||
'wc' can core dump. Example:
|
||||
zsh: illegal hardware instruction (core dumped) wc -l
|
||||
https://github.com/rspamd/rspamd/issues/5137" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
wc -L "/var/lib/apt/lists/"*InRelease
|
||||
wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
|
||||
|
|
@ -7,4 +7,4 @@ set -e
|
|||
|
||||
title="$0: password required for $(whoami) to perform action as superuser"
|
||||
|
||||
zenity --password --title="$title"
|
||||
yad --password --title="$title"
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
# See the file COPYING for copying conditions.
|
||||
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
|
|
@ -11,6 +11,27 @@ set -o pipefail
|
|||
## Make sure globs sort in a predictable, reproducible fashion
|
||||
export LC_ALL=C
|
||||
|
||||
in_dracut='false'
|
||||
if [ -f '/dracut-state.sh' ]; then
|
||||
in_dracut='true'
|
||||
fi
|
||||
binary_prefix='/run'
|
||||
EMERG_SHUTDOWN_KEYS=''
|
||||
root_devices[0]=''
|
||||
|
||||
## Taken from kloak/Makefile, see it for more information
|
||||
gcc_hardening_options=(
|
||||
"-Wall" "-Wformat" "-Wformat=2" "-Wconversion"
|
||||
"-Wimplicit-fallthrough" "-Werror=format-security" "-Werror=implicit"
|
||||
"-Werror=int-conversion" "-Werror=incompatible-pointer-types"
|
||||
"-Wtrampolines" "-Wbidi-chars=any" "-U_FORTIFY_SOURCE" "-D_FORTIFY_SOURCE=3"
|
||||
"-fstack-clash-protection" "-fstack-protector-strong"
|
||||
"-fno-delete-null-pointer-checks" "-fno-strict-overflow"
|
||||
"-fno-strict-aliasing" "-fsanitize=undefined" "-fcf-protection=full"
|
||||
"-Wl,-z,nodlopen" "-Wl,-z,noexecstack" "-Wl,-z,relro" "-Wl,-z,now"
|
||||
"-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie"
|
||||
)
|
||||
|
||||
## Read emergency shutdown key configuration
|
||||
for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do
|
||||
if [ -f "${config_file}" ]; then
|
||||
|
|
@ -18,38 +39,41 @@ for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/secur
|
|||
source "${config_file}"
|
||||
fi
|
||||
done
|
||||
if [ -z "${EMERG_SHUTDOWN_KEYS}" ]; then
|
||||
## Default to Ctrl+Alt+Delete if nothing else is set
|
||||
EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
|
||||
fi
|
||||
|
||||
## Find the devices that make up the root device
|
||||
readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
|
||||
if [ "${#root_devices[@]}" = '0' ] \
|
||||
|| [ "${root_devices[0]}" == '' ]; then
|
||||
## /dev/sda1 might be the right one...
|
||||
root_devices[0]='/dev/sda1'
|
||||
fi
|
||||
if [ "${in_dracut}" = 'true' ]; then
|
||||
binary_prefix=''
|
||||
modprobe evdev || {
|
||||
printf '%s\n' 'Failed to load evdev driver!'
|
||||
exit 1
|
||||
}
|
||||
## modules may not work immediately after loaded, give them time to
|
||||
## initialize
|
||||
sleep 0.1
|
||||
else
|
||||
## Find the devices that make up the root device
|
||||
readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true;
|
||||
|
||||
## Build the actual emerg-shutdown executable
|
||||
if [ ! -f '/run/emerg-shutdown' ]; then
|
||||
gcc \
|
||||
-o \
|
||||
/run/emerg-shutdown \
|
||||
-static \
|
||||
/usr/src/security-misc/emerg-shutdown.c \
|
||||
|| {
|
||||
printf "%s\n" 'Could not compile force-shutdown executable!'
|
||||
exit 1;
|
||||
}
|
||||
## Build the actual emerg-shutdown executable
|
||||
if [ ! -f '/run/emerg-shutdown' ]; then
|
||||
gcc \
|
||||
-o \
|
||||
/run/emerg-shutdown \
|
||||
-static \
|
||||
"${gcc_hardening_options[@]}" \
|
||||
/usr/src/security-misc/emerg-shutdown.c \
|
||||
|| {
|
||||
printf "%s\n" 'Could not compile force-shutdown executable!'
|
||||
exit 1
|
||||
}
|
||||
fi
|
||||
|
||||
## memlockd daemonizes itself, so no need to background it.
|
||||
memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
|
||||
fi
|
||||
|
||||
systemd-notify --ready
|
||||
|
||||
## memlockd daemonizes itself, so no need to background it.
|
||||
memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true
|
||||
|
||||
## Launch emerg-shutdown
|
||||
OLDIFS="$IFS"
|
||||
IFS=','
|
||||
/run/emerg-shutdown "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
|
||||
"${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}"
|
||||
|
|
|
|||
|
|
@ -17,10 +17,14 @@ fi
|
|||
## to run after an inconsistent state is triggered by a potentially
|
||||
## flawed processes. The reasons for the errors could be kernel
|
||||
## exploit attempts but may also simply be general software bugs.
|
||||
##
|
||||
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
|
||||
sysctl kernel.oops_limit=1
|
||||
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
|
||||
sysctl kernel.warn_limit=1
|
||||
|
||||
## Makes the system immediately reboot on the occurrence of a single
|
||||
## kernel panic. This reduces the risk and impact of denial of
|
||||
## service attacks and both cold and warmm boot attacks.
|
||||
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
|
||||
sysctl kernel.panic=-1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue