From 7e016b563239e31c650aece115bb19af0395ec52 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 28 Sep 2025 14:11:10 -0500 Subject: [PATCH 1/2] Allow users in the qubes group to access USBGuard IPC --- debian/security-misc-shared.install | 1 + debian/security-misc-shared.postinst | 1 + etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared | 1 + 3 files changed, 3 insertions(+) create mode 100644 etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install index d56c3da..36e5867 100755 --- a/debian/security-misc-shared.install +++ b/debian/security-misc-shared.install @@ -14,6 +14,7 @@ etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared => /etc/apparm etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/ssh_config.d/30_security-misc.conf etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/sshd_config.d/30_security-misc.conf etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:sudo +etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:qubes etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared => /etc/usbguard/rules.d/30_security-misc.conf etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared => /etc/usbguard/usbguard-daemon.conf.security-misc etc/kernel/postinst.d/30_remove-system-map#security-misc-shared => /etc/kernel/postinst.d/30_remove-system-map diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst index 6dfea78..f77f39a 100644 --- a/debian/security-misc-shared.postinst +++ b/debian/security-misc-shared.postinst @@ -96,6 +96,7 @@ case "$1" in '/etc/usbguard/rules.d/30_security-misc.conf' '/etc/usbguard/usbguard-daemon.conf.security-misc' '/etc/usbguard/IPCAccessControl.d/:sudo' + '/etc/usbguard/IPCAccessControl.d/:qubes' ) for usbguard_config_file in "${usbguard_config_file_list[@]}"; do if test -f "${usbguard_config_file}"; then diff --git a/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared b/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared new file mode 100644 index 0000000..c12628a --- /dev/null +++ b/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared @@ -0,0 +1 @@ +Devices=listen From 60f8153f64667718edbf9c048d5fa1d3c2ca1980 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 28 Sep 2025 15:05:21 -0500 Subject: [PATCH 2/2] Fix emerg-shutdown gcc build, remove AddressSanitizer from hardening options since it is incompatible with static builds --- usr/libexec/security-misc/emerg-shutdown#security-misc-shared | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/emerg-shutdown#security-misc-shared b/usr/libexec/security-misc/emerg-shutdown#security-misc-shared index 9c79237..b7a6e38 100755 --- a/usr/libexec/security-misc/emerg-shutdown#security-misc-shared +++ b/usr/libexec/security-misc/emerg-shutdown#security-misc-shared @@ -38,7 +38,7 @@ gcc_hardening_options=( "-Wcast-align=strict" "-Wjump-misses-init" "-Wlogical-op" "-U_FORTIFY_SOURCE" "-D_FORTIFY_SOURCE=3" "-fstack-clash-protection" "-fstack-protector-all" "-fno-delete-null-pointer-checks" "-fno-strict-aliasing" - "-fsanitize=address,undefined" "-fno-sanitize-recover=all" + "-fsanitize=undefined" "-fno-sanitize-recover=all" "-fstrict-flex-arrays=3" "-ftrivial-auto-var-init=pattern" "-fPIE" ) @@ -78,7 +78,7 @@ else ## Build the actual emerg-shutdown executable if [ ! -f '/run/emerg-shutdown' ]; then gcc \ - -g + -g \ /usr/src/security-misc/emerg-shutdown.c \ -o \ /run/emerg-shutdown \