Merge branch 'Kicksecure:master' into blacklist_to_disable

changelog.upstream

@@ -1,3 +1,59 @@
+commit 64f8b2eb5870664fca06aa060f2f50af358ced55
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Jul 21 06:36:22 2024 -0400
+
+    Revert "no longer disable Intel ME related kernel modules"
+    
+    This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a.
+    
+    https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules
+    
+    https://github.com/Kicksecure/security-misc/issues/239
+
+commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 20 17:02:05 2024 +0000
+
+    bumped changelog version
+
+commit f0a478c7c91697988926a73d3a1880dd8caaca68
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 20 12:57:56 2024 -0400
+
+    permission hardener: allow postfix
+    
+    postqueue matchwhitelist
+    postdrop matchwhitelist
+
+commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Jul 19 07:20:59 2024 -0400
+
+    undo io_uring related changes
+    
+    as these should be done in a separate pull request (if apprpriate)
+    
+    https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062
+
+commit 8791aecb38a41aa0b0c108505726bc6a1ace903e
+Merge: 2d11436 06894d1
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Jul 19 07:19:09 2024 -0400
+
+    Merge remote-tracking branch 'raja/fixes'
+
+commit 06894d1c98e91f43af58cc438559ea76b6a361e3
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Fri Jul 19 18:30:42 2024 +1000
+
+    Typo
+
+commit 2d11436432d3b2b75f84b05550de06cd77ec6e79
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 18 18:05:07 2024 +0000
+
+    bumped changelog version
+
 commit cac5bbad99a9c083c5b5f85f07c7368287c64f72
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Jul 18 14:04:00 2024 -0400
@@ -34,6 +90,30 @@ Date:   Thu Jul 18 14:05:23 2024 +0000
 
     bumped changelog version
 
+commit 95286df50274953326accb615487e21d409b652a
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Thu Jul 18 15:28:31 2024 +1000
+
+    Update README.md regarding secure ICMP redirects
+
+commit 13cc1f0986033855a399b50442a86a8d8552eb96
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Thu Jul 18 12:25:00 2024 +1000
+
+    Clarify (future) disabling of `io_uring`
+
+commit 9e6facda7017498e8310a9c39403e95e81c5a903
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Thu Jul 18 12:21:37 2024 +1000
+
+    Update module disabling presentation
+
+commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Thu Jul 18 12:19:27 2024 +1000
+
+    Typos
+
 commit d454f36c63bd653e47353fb1c93107b2d5584fe2
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Jul 17 11:52:29 2024 -0400

debian/changelog

@@ -1,3 +1,15 @@
+security-misc (3:38.3-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 21 Jul 2024 10:40:13 +0000
+
+security-misc (3:38.2-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 20 Jul 2024 17:02:04 +0000
+
 security-misc (3:38.1-1) unstable; urgency=medium
 
   * New upstream version (local package).

etc/modprobe.d/30_security-misc_disable.conf

@@ -127,18 +127,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc
 ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
 ## https://github.com/Kicksecure/security-misc/issues/239
 ##
-#install mei /usr/bin/disabled-intelme-by-security-misc
-#install mei-gsc /usr/bin/disabled-intelme-by-security-misc
-#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc
-#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc
-#install mei-me /usr/bin/disabled-intelme-by-security-misc
-#install mei_phy /usr/bin/disabled-intelme-by-security-misc
-#install mei_pxp /usr/bin/disabled-intelme-by-security-misc
-#install mei-txe /usr/bin/disabled-intelme-by-security-misc
-#install mei-vsc /usr/bin/disabled-intelme-by-security-misc
-#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc
-#install mei_wdt /usr/bin/disabled-intelme-by-security-misc
-#install microread_mei /usr/bin/disabled-intelme-by-security-misc
+install mei /usr/bin/disabled-intelme-by-security-misc
+install mei-gsc /usr/bin/disabled-intelme-by-security-misc
+install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc
+install mei_hdcp /usr/bin/disabled-intelme-by-security-misc
+install mei-me /usr/bin/disabled-intelme-by-security-misc
+install mei_phy /usr/bin/disabled-intelme-by-security-misc
+install mei_pxp /usr/bin/disabled-intelme-by-security-misc
+install mei-txe /usr/bin/disabled-intelme-by-security-misc
+install mei-vsc /usr/bin/disabled-intelme-by-security-misc
+install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc
+install mei_wdt /usr/bin/disabled-intelme-by-security-misc
+install microread_mei /usr/bin/disabled-intelme-by-security-misc
 
 ## Intel Platform Monitoring Technology Telemetry (PMT):
 ## Disable some functionality of the Intel PMT components.

etc/permission-hardener.d/25_default_whitelist_postfix.conf

@@ -0,0 +1,9 @@
+## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/permission-hardener.d/20_user.conf" or
+## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
+## configuration. When security-misc is updated, this file may be overwritten.
+
+postqueue matchwhitelist
+postdrop matchwhitelist