Commit Graph

2085 Commits

Author SHA1 Message Date
Patrick Schleizer
57fc487e5e
bumped changelog version 2024-03-10 13:19:26 +00:00
Patrick Schleizer
a5206bde33
proc-hidepid.service add gid=proc
This allows users that are a member of the `proc` group to be excluded from `hidepid` protections.

https://github.com/Kicksecure/security-misc/issues/208
2024-03-10 08:44:53 -04:00
Patrick Schleizer
0f0d9ca2a4
bumped changelog version 2024-03-04 11:48:30 +00:00
Patrick Schleizer
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach

Thanks to @marmarek for the bug report!

https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
2024-03-04 06:44:26 -05:00
Patrick Schleizer
af6c6971a7
comment 2024-03-04 06:33:51 -05:00
Patrick Schleizer
e013070e0b
newline 2024-03-04 06:33:21 -05:00
Patrick Schleizer
a5cc1774f2
bumped changelog version 2024-02-26 13:32:44 +00:00
Patrick Schleizer
808e72f24b
use long options
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 08:11:26 -05:00
Patrick Schleizer
2d1d1b246f
improve output
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 08:07:29 -05:00
Patrick Schleizer
d8f5376c4f
improve output
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 07:58:06 -05:00
Patrick Schleizer
cf84762a3a
improve output
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 07:52:41 -05:00
Patrick Schleizer
f2958bbfa5
comment 2024-02-26 07:49:30 -05:00
Patrick Schleizer
bc8f9edc31
Merge remote-tracking branch 'github-kicksecure/master' 2024-02-26 07:48:19 -05:00
Patrick Schleizer
b23d167342
Merge pull request #204 from DanWin/sysfs-mount
Make /sys hardening optional and allow access to /sys/fs to make polkit work
2024-02-26 07:46:02 -05:00
Patrick Schleizer
02d6f67741
bumped changelog version 2024-02-22 20:08:17 +00:00
Patrick Schleizer
d13d1aa7ec
comments 2024-02-22 15:07:53 -05:00
Patrick Schleizer
a1f898e3b3
bumped changelog version 2024-02-22 19:58:01 +00:00
Patrick Schleizer
c3dd178b19
output 2024-02-22 14:57:50 -05:00
Daniel Winzen
ef44ecea44
Add option to disabe /sys hardening 2024-02-22 17:27:46 +01:00
Daniel Winzen
3bc1765dbb
Allow access to /sys/fs for polkit 2024-02-22 17:27:45 +01:00
Patrick Schleizer
6b73e6c2a9
bumped changelog version 2024-02-22 16:07:16 +00:00
Patrick Schleizer
37a7abdf0c
ConditionKernelCommandLine=!remountsecure=0 2024-02-22 11:07:01 -05:00
Patrick Schleizer
eb3e0b9292
bumped changelog version 2024-02-22 14:52:55 +00:00
Patrick Schleizer
c0924321b8
fix systemd unit ExecStart 2024-02-22 09:52:36 -05:00
Patrick Schleizer
d148a769b7
bumped changelog version 2024-02-22 14:50:05 +00:00
Patrick Schleizer
6d7cf3c12a
output 2024-02-22 09:49:48 -05:00
Patrick Schleizer
f7831db197
do not exit non-zero if folder does not exist 2024-02-22 09:17:41 -05:00
Patrick Schleizer
5bdd7b8475
output 2024-02-22 09:14:52 -05:00
Patrick Schleizer
44a15cd97d
mount --make-private
https://github.com/Kicksecure/security-misc/issues/172
2024-02-22 09:13:56 -05:00
Patrick Schleizer
c0f98b05b6
comment
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:03:59 -05:00
Patrick Schleizer
1e1613aa93
allow /opt exec as usually optional binaries are placed there such as firefox
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:02:28 -05:00
Patrick Schleizer
7c7b4b24b4
fix home_noexec_maybe -> most_noexec_maybe
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:02:00 -05:00
Patrick Schleizer
38783faf60
add more bind mounts of mount options hardening
as suggested in https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 05:58:53 -05:00
Patrick Schleizer
ad9d913902
bumped changelog version 2024-02-03 18:28:27 +00:00
Patrick Schleizer
02090da08c
Merge remote-tracking branch 'github-kicksecure/master' 2024-02-03 12:51:07 -05:00
Patrick Schleizer
ba13657d89
Merge pull request #197 from raja-grewal/mitigations
Additional Explicit CPU Mitigations
2024-02-03 12:50:28 -05:00
raja-grewal
b16c99ab62
Remove hardcoded spec_rstack_overflow setting 2024-01-29 13:39:40 +00:00
raja-grewal
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 12:59:13 +00:00
raja-grewal
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 12:58:51 +00:00
raja-grewal
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT 2024-01-29 12:58:14 +00:00
raja-grewal
4231155efa
Add reference for kernel parameters 2024-01-29 12:57:48 +00:00
Patrick Schleizer
8037ce52f9
bumped changelog version 2024-01-25 13:59:29 +00:00
Patrick Schleizer
185bfe7497
use interest-noawait instead of interest-await
fixes https://github.com/Kicksecure/security-misc/issues/196
2024-01-25 06:54:36 -05:00
Patrick Schleizer
64e41b113c
bumped changelog version 2024-01-18 14:10:51 +00:00
Patrick Schleizer
1855fa08b1
readme 2024-01-18 08:54:39 -05:00
Patrick Schleizer
f0e2a82b55
bumped changelog version 2024-01-17 19:18:25 +00:00
Patrick Schleizer
314e5b490c
use wildcards
instead of outdated, incomplete list

https://github.com/Kicksecure/security-misc/issues/160
2024-01-17 14:03:09 -05:00
Patrick Schleizer
08619d6a73
minor RPM updates
https://github.com/Kicksecure/security-misc/issues/160
2024-01-17 13:59:36 -05:00
Patrick Schleizer
3048e0ac76
usrmerge
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:54:07 -05:00
Patrick Schleizer
5a6cd4c2ab
remove now empty /bin from copying since it is empty after usrmerge
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:51:30 -05:00