From f0a478c7c91697988926a73d3a1880dd8caaca68 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 20 Jul 2024 12:57:56 -0400 Subject: [PATCH 1/4] permission hardener: allow postfix postqueue matchwhitelist postdrop matchwhitelist --- .../25_default_whitelist_postfix.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 etc/permission-hardener.d/25_default_whitelist_postfix.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_postfix.conf b/etc/permission-hardener.d/25_default_whitelist_postfix.conf new file mode 100644 index 0000000..d15b564 --- /dev/null +++ b/etc/permission-hardener.d/25_default_whitelist_postfix.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +postqueue matchwhitelist +postdrop matchwhitelist From 04fb00572f2e4c9bdfaaa0f6da8007999daab641 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 20 Jul 2024 17:02:05 +0000 Subject: [PATCH 2/4] bumped changelog version --- changelog.upstream | 62 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 68 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8ba26aa..6e8633a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,41 @@ +commit f0a478c7c91697988926a73d3a1880dd8caaca68 +Author: Patrick Schleizer +Date: Sat Jul 20 12:57:56 2024 -0400 + + permission hardener: allow postfix + + postqueue matchwhitelist + postdrop matchwhitelist + +commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe +Author: Patrick Schleizer +Date: Fri Jul 19 07:20:59 2024 -0400 + + undo io_uring related changes + + as these should be done in a separate pull request (if apprpriate) + + https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 + +commit 8791aecb38a41aa0b0c108505726bc6a1ace903e +Merge: 2d11436 06894d1 +Author: Patrick Schleizer +Date: Fri Jul 19 07:19:09 2024 -0400 + + Merge remote-tracking branch 'raja/fixes' + +commit 06894d1c98e91f43af58cc438559ea76b6a361e3 +Author: Raja Grewal +Date: Fri Jul 19 18:30:42 2024 +1000 + + Typo + +commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 +Author: Patrick Schleizer +Date: Thu Jul 18 18:05:07 2024 +0000 + + bumped changelog version + commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 Author: Patrick Schleizer Date: Thu Jul 18 14:04:00 2024 -0400 @@ -34,6 +72,30 @@ Date: Thu Jul 18 14:05:23 2024 +0000 bumped changelog version +commit 95286df50274953326accb615487e21d409b652a +Author: Raja Grewal +Date: Thu Jul 18 15:28:31 2024 +1000 + + Update README.md regarding secure ICMP redirects + +commit 13cc1f0986033855a399b50442a86a8d8552eb96 +Author: Raja Grewal +Date: Thu Jul 18 12:25:00 2024 +1000 + + Clarify (future) disabling of `io_uring` + +commit 9e6facda7017498e8310a9c39403e95e81c5a903 +Author: Raja Grewal +Date: Thu Jul 18 12:21:37 2024 +1000 + + Update module disabling presentation + +commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 +Author: Raja Grewal +Date: Thu Jul 18 12:19:27 2024 +1000 + + Typos + commit d454f36c63bd653e47353fb1c93107b2d5584fe2 Author: Patrick Schleizer Date: Wed Jul 17 11:52:29 2024 -0400 diff --git a/debian/changelog b/debian/changelog index d5334b1..b6b4ff3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 + security-misc (3:38.1-1) unstable; urgency=medium * New upstream version (local package). From 64f8b2eb5870664fca06aa060f2f50af358ced55 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 21 Jul 2024 06:36:22 -0400 Subject: [PATCH 3/4] Revert "no longer disable Intel ME related kernel modules" This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules https://github.com/Kicksecure/security-misc/issues/239 --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d2408af..b6cfcbe 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -92,18 +92,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## https://github.com/Kicksecure/security-misc/issues/239 ## -#install mei /usr/bin/disabled-intelme-by-security-misc -#install mei-gsc /usr/bin/disabled-intelme-by-security-misc -#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -#install mei-me /usr/bin/disabled-intelme-by-security-misc -#install mei_phy /usr/bin/disabled-intelme-by-security-misc -#install mei_pxp /usr/bin/disabled-intelme-by-security-misc -#install mei-txe /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -#install mei_wdt /usr/bin/disabled-intelme-by-security-misc -#install microread_mei /usr/bin/disabled-intelme-by-security-misc +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-gsc /usr/bin/disabled-intelme-by-security-misc +install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc +install mei_phy /usr/bin/disabled-intelme-by-security-misc +install mei_pxp /usr/bin/disabled-intelme-by-security-misc +install mei-txe /usr/bin/disabled-intelme-by-security-misc +install mei-vsc /usr/bin/disabled-intelme-by-security-misc +install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +install mei_wdt /usr/bin/disabled-intelme-by-security-misc +install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology Telemetry (PMT): ## Disable some functionality of the Intel PMT components. From d2563ed92317a029340dbb83f30da008b01325f2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 21 Jul 2024 10:40:14 +0000 Subject: [PATCH 4/4] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6e8633a..32ec008 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 64f8b2eb5870664fca06aa060f2f50af358ced55 +Author: Patrick Schleizer +Date: Sun Jul 21 06:36:22 2024 -0400 + + Revert "no longer disable Intel ME related kernel modules" + + This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. + + https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 +Author: Patrick Schleizer +Date: Sat Jul 20 17:02:05 2024 +0000 + + bumped changelog version + commit f0a478c7c91697988926a73d3a1880dd8caaca68 Author: Patrick Schleizer Date: Sat Jul 20 12:57:56 2024 -0400 diff --git a/debian/changelog b/debian/changelog index b6b4ff3..876e60b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 + security-misc (3:38.2-1) unstable; urgency=medium * New upstream version (local package).