Patrick Schleizer
|
4388fc4d5a
|
refactoring
|
2019-12-21 05:11:19 -05:00 |
|
Patrick Schleizer
|
ed20980f4c
|
refactoring
|
2019-12-21 05:07:10 -05:00 |
|
Patrick Schleizer
|
315ce86b9a
|
refactoring
|
2019-12-21 04:33:03 -05:00 |
|
Patrick Schleizer
|
0c5848494b
|
do not remount if already has intended mount options
|
2019-12-21 04:21:26 -05:00 |
|
Patrick Schleizer
|
203f4ad46e
|
refactoring
|
2019-12-21 04:17:10 -05:00 |
|
Patrick Schleizer
|
e7fd0dadb0
|
output
|
2019-12-21 04:09:35 -05:00 |
|
Patrick Schleizer
|
e6ea21c775
|
record existing modes in separate dpkg-statoverwrite databases
to have a history of what was modified and to allow to undo changes
|
2019-12-21 04:08:35 -05:00 |
|
Patrick Schleizer
|
89be5f2ecb
|
bumped changelog version
|
2019-12-21 02:05:39 -05:00 |
|
madaidan
|
c28ddf5c4d
|
Delete usr.lib.security-misc.pam_tally2-info
|
2019-12-20 22:44:31 +00:00 |
|
madaidan
|
cfe69dd669
|
Delete usr.lib.security-misc.permission-lockdown
|
2019-12-20 22:44:27 +00:00 |
|
Patrick Schleizer
|
d220bb3bc4
|
suid /usr/lib/chromium/chrome-sandbox whitelist
|
2019-12-20 13:07:01 -05:00 |
|
Patrick Schleizer
|
77b3dd5d6b
|
comments
|
2019-12-20 13:02:33 -05:00 |
|
Patrick Schleizer
|
d7bd477e73
|
add "/usr/lib/xorg/Xorg.wrap whitelist"
until this is researched
https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
|
2019-12-20 12:59:27 -05:00 |
|
Patrick Schleizer
|
17e8605119
|
add matchwhitelist feature
add "/usr/lib/virtualbox/ matchwhitelist"
|
2019-12-20 12:57:24 -05:00 |
|
Patrick Schleizer
|
3fab387669
|
suid /usr/bin/firejail whitelist
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
|
2019-12-20 12:50:35 -05:00 |
|
Patrick Schleizer
|
d3f16a5bf4
|
sgid /usr/lib/qubes/qfile-unpacker whitelist
|
2019-12-20 12:47:10 -05:00 |
|
Patrick Schleizer
|
508ec0c6fa
|
comment
|
2019-12-20 12:34:07 -05:00 |
|
Patrick Schleizer
|
1b569ea790
|
comment
|
2019-12-20 12:32:36 -05:00 |
|
Patrick Schleizer
|
f88ca25889
|
fix terminology, sguid -> sgid
Thanks to @madaidan for the bug report!
https://forums.whonix.org/t/permission-hardening/8655/21
|
2019-12-20 11:58:07 -05:00 |
|
Patrick Schleizer
|
1cd5fb6a00
|
bumped changelog version
|
2019-12-20 11:50:25 -05:00 |
|
Patrick Schleizer
|
ff0a26fb5d
|
comment
|
2019-12-20 11:49:19 -05:00 |
|
Patrick Schleizer
|
71496a33ab
|
skip folders are these are not suid / guid
|
2019-12-20 11:47:53 -05:00 |
|
Patrick Schleizer
|
9321ecff41
|
no more need to add/remove /
|
2019-12-20 11:43:53 -05:00 |
|
Patrick Schleizer
|
b95225b6a6
|
pipefail
|
2019-12-20 11:37:05 -05:00 |
|
Patrick Schleizer
|
cad6f328f4
|
minor
|
2019-12-20 11:34:44 -05:00 |
|
Patrick Schleizer
|
3265f9894d
|
output
|
2019-12-20 11:27:43 -05:00 |
|
Patrick Schleizer
|
28d12c3966
|
bumped changelog version
|
2019-12-20 11:09:22 -05:00 |
|
Patrick Schleizer
|
1615ebec58
|
output
|
2019-12-20 11:07:44 -05:00 |
|
Patrick Schleizer
|
1e11b775cf
|
output
|
2019-12-20 11:05:05 -05:00 |
|
Patrick Schleizer
|
731f802895
|
output
|
2019-12-20 11:04:12 -05:00 |
|
Patrick Schleizer
|
cd8efe5800
|
output
|
2019-12-20 11:03:22 -05:00 |
|
Patrick Schleizer
|
c0ddb76d74
|
bumped changelog version
|
2019-12-20 10:50:51 -05:00 |
|
Patrick Schleizer
|
b31abea0af
|
improve error handling
|
2019-12-20 10:49:31 -05:00 |
|
Patrick Schleizer
|
79cd3b86b6
|
comment
|
2019-12-20 10:47:23 -05:00 |
|
Patrick Schleizer
|
b3458cc6ee
|
fix checking existing entries to avoid needless calls to dpkg-statoverride
|
2019-12-20 10:45:59 -05:00 |
|
Patrick Schleizer
|
370f3c5e54
|
comment
|
2019-12-20 10:35:05 -05:00 |
|
Patrick Schleizer
|
133d09f298
|
output
|
2019-12-20 10:33:16 -05:00 |
|
Patrick Schleizer
|
1ffa8e197e
|
speed up setuid removal by using find with '-perm /u=s,g=s'
https://forums.whonix.org/t/permission-hardening/8655/19
|
2019-12-20 10:31:26 -05:00 |
|
Patrick Schleizer
|
4cfdf2c65b
|
fix, re-enforce nosuid even if changed on the disk
|
2019-12-20 10:21:27 -05:00 |
|
Patrick Schleizer
|
e36868e675
|
output
|
2019-12-20 10:02:46 -05:00 |
|
Patrick Schleizer
|
50b8f65490
|
add sanity test: count if we really processed all files
|
2019-12-20 09:59:28 -05:00 |
|
Patrick Schleizer
|
e28da89253
|
/bin/sudo whitelist / /bin/bwrap whitelist
|
2019-12-20 09:48:06 -05:00 |
|
Patrick Schleizer
|
55faa7b997
|
fix missing processing files bug
https://forums.whonix.org/t/permission-hardening/8655/16
|
2019-12-20 09:43:23 -05:00 |
|
Patrick Schleizer
|
fbe2479f48
|
count processed file system objects
to be able to verify if any were "forgotten"
|
2019-12-20 08:54:56 -05:00 |
|
Patrick Schleizer
|
195ea522f5
|
fix
|
2019-12-20 08:52:14 -05:00 |
|
Patrick Schleizer
|
6f8231be70
|
debugging
|
2019-12-20 08:51:55 -05:00 |
|
Patrick Schleizer
|
ed50f98010
|
output
|
2019-12-20 08:47:22 -05:00 |
|
Patrick Schleizer
|
089c40135f
|
bumped changelog version
|
2019-12-20 08:15:00 -05:00 |
|
Patrick Schleizer
|
6d30e3b4a2
|
do not remove suid from whitelisted binaries ever
https://forums.whonix.org/t/permission-hardening/8655/13
|
2019-12-20 08:13:23 -05:00 |
|
Patrick Schleizer
|
d5f1bd8dd2
|
fix mode sanity check
no longer use seq due to issue
https://forums.whonix.org/t/permission-hardening/8655/13
|
2019-12-20 08:02:30 -05:00 |
|