Commit Graph

906 Commits

Author SHA1 Message Date
Patrick Schleizer
1ff51ee061
merge 2019-12-23 03:37:28 -05:00
madaidan
535c258b83
More kernel hardening 2019-12-23 03:35:07 -05:00
Patrick Schleizer
11b4192fbd
comments 2019-12-23 03:28:42 -05:00
Patrick Schleizer
42ff53e9ad
bumped changelog version 2019-12-23 02:42:07 -05:00
Patrick Schleizer
2152fa2d61
comment 2019-12-23 02:38:53 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature 2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
add new keyword disablewhitelist

refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
175d1c2845
bumped changelog version 2019-12-23 02:13:13 -05:00
Patrick Schleizer
0409aac3ae
readme 2019-12-23 02:09:04 -05:00
Patrick Schleizer
1ff56625a1
polkit-agent-helper-1 matchwhitelist to match both
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
2019-12-23 01:42:03 -05:00
Patrick Schleizer
d484b299ea
matchwhitelist /qubes/qfile-unpacker to match both
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
2019-12-23 01:38:31 -05:00
Patrick Schleizer
34bf245713
output 2019-12-23 01:35:45 -05:00
Patrick Schleizer
ba30e45d15
output 2019-12-23 01:32:42 -05:00
Patrick Schleizer
ee9c5742da
output 2019-12-23 01:29:48 -05:00
Patrick Schleizer
6d05359abc
output 2019-12-23 01:21:52 -05:00
Patrick Schleizer
a1e78e8515
fix needlessly re-adding entries 2019-12-23 01:20:56 -05:00
Patrick Schleizer
906b3d32e7
output 2019-12-23 01:09:57 -05:00
Patrick Schleizer
4f76867da6
lower debugging 2019-12-23 01:08:02 -05:00
Patrick Schleizer
dc6e5d8508
fix 2019-12-23 01:06:38 -05:00
Patrick Schleizer
87b999f92a
refactoring 2019-12-23 00:59:43 -05:00
Patrick Schleizer
065ff4bd05
sanity_tests 2019-12-23 00:59:24 -05:00
Patrick Schleizer
fef1469fe6
exit non-zero if capability removal failed 2019-12-23 00:51:14 -05:00
Patrick Schleizer
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh 2019-12-23 00:49:33 -05:00
Patrick Schleizer
17a8c29470
fix capability removal error handling
https://forums.whonix.org/t/disable-suid-binaries/7706/45
2019-12-23 00:47:49 -05:00
Patrick Schleizer
b631e2ecd8
refactoring 2019-12-23 00:36:41 -05:00
Patrick Schleizer
7aea304549
comment 2019-12-23 00:26:15 -05:00
Patrick Schleizer
f4b1df02ee
Remove suid / gid and execute permission for 'group' and 'others'.
Similar to: chmod og-ugx /path/to/filename

Removing execution permission is useful to make binaries such as 'su' fail closed rather
than fail open if suid was removed from these.

Do not remove read access since no security benefit and easier to manually undo for users.

chmod 744
2019-12-22 19:42:40 -05:00
Patrick Schleizer
58a4e0bc7d
dbus-daemon-launch-helper matchwhitelist 2019-12-22 19:12:10 -05:00
Patrick Schleizer
15e3a2832d
comment 2019-12-22 18:57:23 -05:00
Patrick Schleizer
6eb8fd257a
suid utempter/utempter matchwhitelist
to cover both:

/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
2019-12-22 18:56:36 -05:00
Patrick Schleizer
9409209b48
Merge remote-tracking branch 'origin/master' 2019-12-22 10:29:08 -05:00
Patrick Schleizer
bce02ffdc0
Merge pull request #47 from madaidan/msr
Blacklist CPU MSRs
2019-12-22 15:26:07 +00:00
madaidan
8f11a520f4
Update control 2019-12-22 13:54:16 +00:00
madaidan
dd93b11321
Blacklist CPU MSRs 2019-12-22 13:52:43 +00:00
Patrick Schleizer
008ce4817c
bumped changelog version 2019-12-21 14:55:03 -05:00
Patrick Schleizer
d300db3cde
output 2019-12-21 14:45:11 -05:00
Patrick Schleizer
3921846df6
comment 2019-12-21 14:36:42 -05:00
Patrick Schleizer
1213415ce6
bumped changelog version 2019-12-21 14:23:35 -05:00
Patrick Schleizer
2ddf7b5db5
/lib/ nosuid 2019-12-21 14:06:51 -05:00
Patrick Schleizer
1e8457ea47
no longer remount /lib
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25
2019-12-21 14:06:10 -05:00
Patrick Schleizer
10c19d6a8f
Merge remote-tracking branch 'origin/master' 2019-12-21 13:00:41 -05:00
Patrick Schleizer
fffdf5090c
Merge pull request #46 from madaidan/remount-secure
Don't remount /sys/kernel/security
2019-12-21 17:59:56 +00:00
madaidan
f5a52aeddc
Don't remount /sys/kernel/security 2019-12-21 14:55:28 +00:00
Patrick Schleizer
b2260f48f4
add support for /etc/exec / /usr/local/etc/exec
to allow enabling exec on a per VM basis
2019-12-21 08:03:33 -05:00
Patrick Schleizer
1c99b56c9b
bumped changelog version 2019-12-21 07:49:55 -05:00
Patrick Schleizer
161b6f6b88
readme 2019-12-21 07:49:29 -05:00
Patrick Schleizer
b74e5ca972
comment 2019-12-21 07:47:00 -05:00
Patrick Schleizer
8fb17624bc
comment 2019-12-21 07:44:51 -05:00
Patrick Schleizer
aef796a524
disable debugging 2019-12-21 07:44:23 -05:00
Patrick Schleizer
1fe83d683f
comment 2019-12-21 07:43:55 -05:00