Patrick Schleizer
|
f3ff32ddbb
|
Protect /bin/mount from 'chmod -x'.
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist
Remove SUID from 'mount' but keep executable.
/bin/mount 745 root root
/usr/bin/mount 745 root root
https://forums.whonix.org/t/disable-suid-binaries/7706/61
|
2019-12-30 06:39:24 -05:00 |
|
Patrick Schleizer
|
e5623fcd2b
|
comment
|
2019-12-29 04:21:52 -05:00 |
|
Patrick Schleizer
|
674840e6f9
|
/fusermount matchwhitelist
unbreak AppImages such as electrum Bitcoin wallet
https://forums.whonix.org/t/disable-suid-binaries/7706/57
|
2019-12-26 05:44:35 -05:00 |
|
madaidan
|
79241c5d09
|
Make /lib/modules unreadable
|
2019-12-23 20:28:29 +00:00 |
|
Patrick Schleizer
|
9d77d88a4d
|
comments
|
2019-12-23 09:39:50 -05:00 |
|
Patrick Schleizer
|
11b4192fbd
|
comments
|
2019-12-23 03:28:42 -05:00 |
|
Patrick Schleizer
|
2152fa2d61
|
comment
|
2019-12-23 02:38:53 -05:00 |
|
Patrick Schleizer
|
f8f2e6c704
|
fix disablewhitelist feature
|
2019-12-23 02:35:13 -05:00 |
|
Patrick Schleizer
|
47ddcad0c0
|
rename keyword whitelist to exactwhitelist
add new keyword disablewhitelist
refactoring
|
2019-12-23 02:29:47 -05:00 |
|
Patrick Schleizer
|
1ff56625a1
|
polkit-agent-helper-1 matchwhitelist to match both
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
|
2019-12-23 01:42:03 -05:00 |
|
Patrick Schleizer
|
d484b299ea
|
matchwhitelist /qubes/qfile-unpacker to match both
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
|
2019-12-23 01:38:31 -05:00 |
|
Patrick Schleizer
|
58a4e0bc7d
|
dbus-daemon-launch-helper matchwhitelist
|
2019-12-22 19:12:10 -05:00 |
|
Patrick Schleizer
|
15e3a2832d
|
comment
|
2019-12-22 18:57:23 -05:00 |
|
Patrick Schleizer
|
6eb8fd257a
|
suid utempter/utempter matchwhitelist
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
|
2019-12-22 18:56:36 -05:00 |
|
Patrick Schleizer
|
2ddf7b5db5
|
/lib/ nosuid
|
2019-12-21 14:06:51 -05:00 |
|
Patrick Schleizer
|
3ea587187e
|
no need to exclude xorg nosuid on Debian
http://forums.whonix.org/t/permission-hardening/8655/25
|
2019-12-21 06:53:07 -05:00 |
|
Patrick Schleizer
|
d220bb3bc4
|
suid /usr/lib/chromium/chrome-sandbox whitelist
|
2019-12-20 13:07:01 -05:00 |
|
Patrick Schleizer
|
77b3dd5d6b
|
comments
|
2019-12-20 13:02:33 -05:00 |
|
Patrick Schleizer
|
d7bd477e73
|
add "/usr/lib/xorg/Xorg.wrap whitelist"
until this is researched
https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
|
2019-12-20 12:59:27 -05:00 |
|
Patrick Schleizer
|
17e8605119
|
add matchwhitelist feature
add "/usr/lib/virtualbox/ matchwhitelist"
|
2019-12-20 12:57:24 -05:00 |
|
Patrick Schleizer
|
3fab387669
|
suid /usr/bin/firejail whitelist
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
|
2019-12-20 12:50:35 -05:00 |
|
Patrick Schleizer
|
d3f16a5bf4
|
sgid /usr/lib/qubes/qfile-unpacker whitelist
|
2019-12-20 12:47:10 -05:00 |
|
Patrick Schleizer
|
508ec0c6fa
|
comment
|
2019-12-20 12:34:07 -05:00 |
|
Patrick Schleizer
|
1b569ea790
|
comment
|
2019-12-20 12:32:36 -05:00 |
|
Patrick Schleizer
|
e28da89253
|
/bin/sudo whitelist / /bin/bwrap whitelist
|
2019-12-20 09:48:06 -05:00 |
|
Patrick Schleizer
|
6d30e3b4a2
|
do not remove suid from whitelisted binaries ever
https://forums.whonix.org/t/permission-hardening/8655/13
|
2019-12-20 08:13:23 -05:00 |
|
Patrick Schleizer
|
48fe7312bf
|
update config
|
2019-12-20 05:57:41 -05:00 |
|
Patrick Schleizer
|
87d820d84c
|
comment
|
2019-12-20 05:54:16 -05:00 |
|
Patrick Schleizer
|
46466c12ad
|
parse drop-in config folder rather than only one config file
|
2019-12-20 05:49:11 -05:00 |
|