Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-26 11:05:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add option to disabe /sys hardening

Browse Source
This commit is contained in:
Daniel Winzen 2024-02-22 16:51:23 +01:00
parent 3bc1765dbb
commit ef44ecea44
No known key found for this signature in database
GPG Key ID: 222FCC3F35C41077
2 changed files with 43 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/hide-hardware-info.d/30_default.conf
View File

@ -7,6 +7,9 @@
## Disable the /proc/cpuinfo whitelist. ## Disable the /proc/cpuinfo whitelist.
#cpuinfo_whitelist=0 #cpuinfo_whitelist=0
## Disable /sys hardening.
#sysfs=0
## Disable selinux mode. ## Disable selinux mode.
## https://www.whonix.org/wiki/Security-misc#selinux ## https://www.whonix.org/wiki/Security-misc#selinux
#selinux=0 #selinux=0

33
usr/libexec/security-misc/hide-hardware-info
View File

@ -8,6 +8,8 @@ set -e
sysfs_whitelist=1 sysfs_whitelist=1
cpuinfo_whitelist=1 cpuinfo_whitelist=1
sysfs=1
## https://www.whonix.org/wiki/Security-misc#selinux ## https://www.whonix.org/wiki/Security-misc#selinux
selinux=0 selinux=0
@ -53,6 +55,7 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
do do
if [ -e "${i}" ]; then if [ -e "${i}" ]; then
if [ "${i}" = "/sys" ]; then if [ "${i}" = "/sys" ]; then
if [ "${sysfs}" = "1" ]; then
## Whitelist for /sys. ## Whitelist for /sys.
if [ "${sysfs_whitelist}" = "1" ]; then if [ "${sysfs_whitelist}" = "1" ]; then
create_whitelist sysfs create_whitelist sysfs
@ -60,6 +63,7 @@ do
chmod og-rwx /sys chmod og-rwx /sys
echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
fi fi
fi
elif [ "${i}" = "/proc/cpuinfo" ]; then elif [ "${i}" = "/proc/cpuinfo" ]; then
## Whitelist for /proc/cpuinfo. ## Whitelist for /proc/cpuinfo.
if [ "${cpuinfo_whitelist}" = "1" ]; then if [ "${cpuinfo_whitelist}" = "1" ]; then
@ -80,10 +84,12 @@ do
fi fi
done done
## restrict permissions on everything but
## what is needed if [ "${sysfs}" = "1" ]; then
for i in /sys/* /sys/fs/* ## restrict permissions on everything but
do ## what is needed
for i in /sys/* /sys/fs/*
do
## Using '|| true': ## Using '|| true':
## https://github.com/Kicksecure/security-misc/pull/108 ## https://github.com/Kicksecure/security-misc/pull/108
if [ "${sysfs_whitelist}" = "1" ]; then if [ "${sysfs_whitelist}" = "1" ]; then
@ -91,17 +97,17 @@ do
else else
chmod og-rwx "${i}" || true chmod og-rwx "${i}" || true
fi fi
done done
## polkit needs stat access to /sys/fs/cgroup ## polkit needs stat access to /sys/fs/cgroup
## to function properly ## to function properly
chmod o+rx /sys /sys/fs chmod o+rx /sys /sys/fs
## on SELinux systems, at least /sys/fs/selinux ## on SELinux systems, at least /sys/fs/selinux
## must be visible to unprivileged users, else ## must be visible to unprivileged users, else
## SELinux userspace utilities will not function ## SELinux userspace utilities will not function
## properly ## properly
if [ -d /sys/fs/selinux ]; then if [ -d /sys/fs/selinux ]; then
echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
echo "https://www.kicksecure.com/wiki/Security-misc#selinux" echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
if [ "${selinux}" = "1" ]; then if [ "${selinux}" = "1" ]; then
@ -110,4 +116,5 @@ if [ -d /sys/fs/selinux ]; then
else else
echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
fi fi
fi
fi fi