bumped changelog version

debian/control URL fix

COPYING

@@ -1,73 +1,668 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 
 Files: *
-Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-License: GPL-3+-with-additional-terms-1
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+License: AGPL-3+
+
+License: AGPL-3+
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
  .
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
  .
- You should have received a copy of the GNU General Public License
- along with this program.  If not, see <https://www.gnu.org/licenses/>.
+                            Preamble
  .
- On Debian systems, the full text of the GNU General Public
- License version 3 can be found in the file
- `/usr/share/common-licenses/GPL-3'.
+ The GNU Affero General Public License is a free, copyleft license for
+ software and other kinds of works, specifically designed to ensure
+ cooperation with the community in the case of network server software.
  .
- ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7
+ The licenses for most software and other practical works are designed
+ to take away your freedom to share and change the works.  By contrast,
+ our General Public Licenses are intended to guarantee your freedom to
+ share and change all versions of a program--to make sure it remains free
+ software for all its users.
  .
- 1. Replacement of Section 15.  Section 15 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  When we speak of free software, we are referring to freedom, not
+ price.  Our General Public Licenses are designed to make sure that you
+ have the freedom to distribute copies of free software (and charge for
+ them if you wish), that you receive source code or can get it if you
+ want it, that you can change the software or use pieces of it in new
+ free programs, and that you know you can do these things.
  .
- 15. Disclaimer of Warranty.
+  Developers that use our General Public Licenses protect your rights
+ with two steps: (1) assert copyright on the software, and (2) offer
+ you this License which gives you legal permission to copy, distribute
+ and/or modify the software.
  .
- THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED,
- INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY.  THE PROGRAM IS BEING
- DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR
- REPRESENTATION.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ A secondary benefit of defending all users' freedom is that
+ improvements made in alternate versions of the program, if they
+ receive widespread use, become available for other developers to
+ incorporate.  Many developers of free software are heartened and
+ encouraged by the resulting cooperation.  However, in the case of
+ software used on network servers, this result may fail to come about.
+ The GNU General Public License permits making a modified version and
+ letting the public access it on a server without ever releasing its
+ source code to the public.
+ .
+ The GNU Affero General Public License is designed specifically to
+ ensure that, in such cases, the modified source code becomes available
+ to the community.  It requires the operator of a network server to
+ provide the source code of the modified version running there to the
+ users of that server.  Therefore, public use of a modified version, on
+ a publicly accessible server, gives the public access to the source
+ code of the modified version.
+ .
+ An older license, called the Affero General Public License and
+ published by Affero, was designed to accomplish similar goals.  This is
+ a different license, not a version of the Affero GPL, but Affero has
+ released a new version of the Affero GPL which permits relicensing under
+ this license.
+ .
+ The precise terms and conditions for copying, distribution and
+ modification follow.
+ .
+                       TERMS AND CONDITIONS
+ .
+  0. Definitions.
+ .
+  "This License" refers to version 3 of the GNU Affero General Public License.
+ .
+  "Copyright" also means copyright-like laws that apply to other kinds of
+ works, such as semiconductor masks.
+ .
+ "The Program" refers to any copyrightable work licensed under this
+ License.  Each licensee is addressed as "you".  "Licensees" and
+ "recipients" may be individuals or organizations.
+ .
+ To "modify" a work means to copy from or adapt all or part of the work
+ in a fashion requiring copyright permission, other than the making of an
+ exact copy.  The resulting work is called a "modified version" of the
+ earlier work or a work "based on" the earlier work.
+ .
+ A "covered work" means either the unmodified Program or a work based
+ on the Program.
+ .
+ To "propagate" a work means to do anything with it that, without
+ permission, would make you directly or secondarily liable for
+ infringement under applicable copyright law, except executing it on a
+ computer or modifying a private copy.  Propagation includes copying,
+ distribution (with or without modification), making available to the
+ public, and in some countries other activities as well.
+ .
+ To "convey" a work means any kind of propagation that enables other
+ parties to make or receive copies.  Mere interaction with a user through
+ a computer network, with no transfer of a copy, is not conveying.
+ .
+ An interactive user interface displays "Appropriate Legal Notices"
+ to the extent that it includes a convenient and prominently visible
+ feature that (1) displays an appropriate copyright notice, and (2)
+ tells the user that there is no warranty for the work (except to the
+ extent that warranties are provided), that licensees may convey the
+ work under this License, and how to view a copy of this License.  If
+ the interface presents a list of user commands or options, such as a
+ menu, a prominent item in the list meets this criterion.
+ .
+ 1. Source Code.
+ .
+ The "source code" for a work means the preferred form of the work
+ for making modifications to it.  "Object code" means any non-source
+ form of a work.
+ .
+ A "Standard Interface" means an interface that either is an official
+ standard defined by a recognized standards body, or, in the case of
+ interfaces specified for a particular programming language, one that
+ is widely used among developers working in that language.
+ .
+ The "System Libraries" of an executable work include anything, other
+ than the work as a whole, that (a) is included in the normal form of
+ packaging a Major Component, but which is not part of that Major
+ Component, and (b) serves only to enable use of the work with that
+ Major Component, or to implement a Standard Interface for which an
+ implementation is available to the public in source code form.  A
+ "Major Component", in this context, means a major essential component
+ (kernel, window system, and so on) of the specific operating system
+ (if any) on which the executable work runs, or a compiler used to
+ produce the work, or an object code interpreter used to run it.
+ .
+ The "Corresponding Source" for a work in object code form means all
+ the source code needed to generate, install, and (for an executable
+ work) run the object code and to modify the work, including scripts to
+ control those activities.  However, it does not include the work's
+ System Libraries, or general-purpose tools or generally available free
+ programs which are used unmodified in performing those activities but
+ which are not part of the work.  For example, Corresponding Source
+ includes interface definition files associated with source files for
+ the work, and the source code for shared libraries and dynamically
+ linked subprograms that the work is specifically designed to require,
+ such as by intimate data communication or control flow between those
+ subprograms and other parts of the work.
+ .
+ The Corresponding Source need not include anything that users
+ can regenerate automatically from other parts of the Corresponding
+ Source.
+ .
+ The Corresponding Source for a work in source code form is that
+ same work.
+ .
+  2. Basic Permissions.
+ .
+  All rights granted under this License are granted for the term of
+ copyright on the Program, and are irrevocable provided the stated
+ conditions are met.  This License explicitly affirms your unlimited
+ permission to run the unmodified Program.  The output from running a
+ covered work is covered by this License only if the output, given its
+ content, constitutes a covered work.  This License acknowledges your
+ rights of fair use or other equivalent, as provided by copyright law.
+ .
+ You may make, run and propagate covered works that you do not
+ convey, without conditions so long as your license otherwise remains
+ in force.  You may convey covered works to others for the sole purpose
+ of having them make modifications exclusively for you, or provide you
+ with facilities for running those works, provided that you comply with
+ the terms of this License in conveying all material for which you do
+ not control copyright.  Those thus making or running the covered works
+ for you must do so exclusively on your behalf, under your direction
+ and control, on terms that prohibit them from making any copies of
+ your copyrighted material outside their relationship with you.
+ .
+ Conveying under any other circumstances is permitted solely under
+ the conditions stated below.  Sublicensing is not allowed; section 10
+ makes it unnecessary.
+ .
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+ .
+ No covered work shall be deemed part of an effective technological
+ measure under any applicable law fulfilling obligations under article
+ 11 of the WIPO copyright treaty adopted on 20 December 1996, or
+ similar laws prohibiting or restricting circumvention of such
+ measures.
+ .
+ When you convey a covered work, you waive any legal power to forbid
+ circumvention of technological measures to the extent such circumvention
+ is effected by exercising rights under this License with respect to
+ the covered work, and you disclaim any intention to limit operation or
+ modification of the work as a means of enforcing, against the work's
+ users, your or third parties' legal rights to forbid circumvention of
+ technological measures.
+ .
+  4. Conveying Verbatim Copies.
+ .
+ You may convey verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and
+ appropriately publish on each copy an appropriate copyright notice;
+ keep intact all notices stating that this License and any
+ non-permissive terms added in accord with section 7 apply to the code;
+ keep intact all notices of the absence of any warranty; and give all
+ recipients a copy of this License along with the Program.
+ .
+ You may charge any price or no price for each copy that you convey,
+ and you may offer support or warranty protection for a fee.
+ .
+  5. Conveying Modified Source Versions.
+ .
+ You may convey a work based on the Program, or the modifications to
+ produce it from the Program, in the form of source code under the
+ terms of section 4, provided that you also meet all of these conditions:
+ .
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+ .
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+ .
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+ .
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+ .
+ A compilation of a covered work with other separate and independent
+ works, which are not by their nature extensions of the covered work,
+ and which are not combined with it such as to form a larger program,
+ in or on a volume of a storage or distribution medium, is called an
+ "aggregate" if the compilation and its resulting copyright are not
+ used to limit the access or legal rights of the compilation's users
+ beyond what the individual works permit.  Inclusion of a covered work
+ in an aggregate does not cause this License to apply to the other
+ parts of the aggregate.
+ .
+  6. Conveying Non-Source Forms.
+ .
+ You may convey a covered work in object code form under the terms
+ of sections 4 and 5, provided that you also convey the
+ machine-readable Corresponding Source under the terms of this License,
+ in one of these ways:
+ .
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+ .
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+ .
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+ .
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+ .
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+ .
+ A separable portion of the object code, whose source code is excluded
+ from the Corresponding Source as a System Library, need not be
+ included in conveying the object code work.
+ .
+ A "User Product" is either (1) a "consumer product", which means any
+ tangible personal property which is normally used for personal, family,
+ or household purposes, or (2) anything designed or sold for incorporation
+ into a dwelling.  In determining whether a product is a consumer product,
+ doubtful cases shall be resolved in favor of coverage.  For a particular
+  product received by a particular user, "normally used" refers to a
+ typical or common use of that class of product, regardless of the status
+ of the particular user or of the way in which the particular user
+ actually uses, or expects or is expected to use, the product.  A product
+ is a consumer product regardless of whether the product has substantial
+ commercial, industrial or non-consumer uses, unless such uses represent
+ the only significant mode of use of the product.
+ .
+ "Installation Information" for a User Product means any methods,
+ procedures, authorization keys, or other information required to install
+ and execute modified versions of a covered work in that User Product from
+ a modified version of its Corresponding Source.  The information must
+ suffice to ensure that the continued functioning of the modified object
+ code is in no case prevented or interfered with solely because
+ modification has been made.
+ .
+ If you convey an object code work under this section in, or with, or
+ specifically for use in, a User Product, and the conveying occurs as
+ part of a transaction in which the right of possession and use of the
+ User Product is transferred to the recipient in perpetuity or for a
+ fixed term (regardless of how the transaction is characterized), the
+ Corresponding Source conveyed under this section must be accompanied
+ by the Installation Information.  But this requirement does not apply
+ if neither you nor any third party retains the ability to install
+ modified object code on the User Product (for example, the work has
+ been installed in ROM).
+ .
+ The requirement to provide Installation Information does not include a
+ requirement to continue to provide support service, warranty, or updates
+ for a work that has been modified or installed by the recipient, or for
+ the User Product in which it has been modified or installed.  Access to a
+ network may be denied when the modification itself materially and
+ adversely affects the operation of the network or violates the rules and
+ protocols for communication across the network.
+ .
+ Corresponding Source conveyed, and Installation Information provided,
+ in accord with this section must be in a format that is publicly
+ documented (and with an implementation available to the public in
+ source code form), and must require no special password or key for
+ unpacking, reading or copying.
+ .
+  7. Additional Terms.
+ .
+ "Additional permissions" are terms that supplement the terms of this
+ License by making exceptions from one or more of its conditions.
+ Additional permissions that are applicable to the entire Program shall
+ be treated as though they were included in this License, to the extent
+ that they are valid under applicable law.  If additional permissions
+ apply only to part of the Program, that part may be used separately
+ under those permissions, but the entire Program remains governed by
+ this License without regard to the additional permissions.
+ .
+ When you convey a copy of a covered work, you may at your option
+ remove any additional permissions from that copy, or from any part of
+ it.  (Additional permissions may be written to require their own
+ removal in certain cases when you modify the work.)  You may place
+ additional permissions on material, added by you to a covered work,
+ for which you have or can give appropriate copyright permission.
+ .
+ Notwithstanding any other provision of this License, for material you
+ add to a covered work, you may (if authorized by the copyright holders of
+ that material) supplement the terms of this License with terms:
+ .
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+ .
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+ .
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+ .
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+ .
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+ .
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+ .
+ All other non-permissive additional terms are considered "further
+ restrictions" within the meaning of section 10.  If the Program as you
+ received it, or any part of it, contains a notice stating that it is
+ governed by this License along with a term that is a further
+ restriction, you may remove that term.  If a license document contains
+ a further restriction but permits relicensing or conveying under this
+ License, you may add to a covered work material governed by the terms
+ of that license document, provided that the further restriction does
+ not survive such relicensing or conveying.
+ .
+ If you add terms to a covered work in accord with this section, you
+ must place, in the relevant source files, a statement of the
+ additional terms that apply to those files, or a notice indicating
+ where to find the applicable terms.
+ .
+ Additional terms, permissive or non-permissive, may be stated in the
+ form of a separately written license, or stated as exceptions;
+ the above requirements apply either way.
+ .
+  8. Termination.
+ .
+ You may not propagate or modify a covered work except as expressly
+ provided under this License.  Any attempt otherwise to propagate or
+ modify it is void, and will automatically terminate your rights under
+ this License (including any patent licenses granted under the third
+ paragraph of section 11).
+ .
+ However, if you cease all violation of this License, then your
+ license from a particular copyright holder is reinstated (a)
+ provisionally, unless and until the copyright holder explicitly and
+ finally terminates your license, and (b) permanently, if the copyright
+ holder fails to notify you of the violation by some reasonable means
+ prior to 60 days after the cessation.
+ .
+ Moreover, your license from a particular copyright holder is
+ reinstated permanently if the copyright holder notifies you of the
+ violation by some reasonable means, this is the first time you have
+ received notice of violation of this License (for any work) from that
+ copyright holder, and you cure the violation prior to 30 days after
+ your receipt of the notice.
+ .
+ Termination of your rights under this section does not terminate the
+ licenses of parties who have received copies or rights from you under
+ this License.  If your rights have been terminated and not permanently
+ reinstated, you do not qualify to receive new licenses for the same
+ material under section 10.
+ .
+  9. Acceptance Not Required for Having Copies.
+ .
+ You are not required to accept this License in order to receive or
+ run a copy of the Program.  Ancillary propagation of a covered work
+ occurring solely as a consequence of using peer-to-peer transmission
+ to receive a copy likewise does not require acceptance.  However,
+ nothing other than this License grants you permission to propagate or
+ modify any covered work.  These actions infringe copyright if you do
+ not accept this License.  Therefore, by modifying or propagating a
+ covered work, you indicate your acceptance of this License to do so.
+ .
+  10. Automatic Licensing of Downstream Recipients.
+ .
+ Each time you convey a covered work, the recipient automatically
+ receives a license from the original licensors, to run, modify and
+ propagate that work, subject to this License.  You are not responsible
+ for enforcing compliance by third parties with this License.
+ .
+ An "entity transaction" is a transaction transferring control of an
+ organization, or substantially all assets of one, or subdividing an
+ organization, or merging organizations.  If propagation of a covered
+ work results from an entity transaction, each party to that
+ transaction who receives a copy of the work also receives whatever
+ licenses to the work the party's predecessor in interest had or could
+ give under the previous paragraph, plus a right to possession of the
+ Corresponding Source of the work from the predecessor in interest, if
+ the predecessor has it or can get it with reasonable efforts.
+ .
+  You may not impose any further restrictions on the exercise of the
+ rights granted or affirmed under this License.  For example, you may
+ not impose a license fee, royalty, or other charge for exercise of
+ rights granted under this License, and you may not initiate litigation
+ (including a cross-claim or counterclaim in a lawsuit) alleging that
+ any patent claim is infringed by making, using, selling, offering for
+ sale, or importing the Program or any portion of it.
+ .
+  11. Patents.
+ .
+ A "contributor" is a copyright holder who authorizes use under this
+ License of the Program or a work on which the Program is based.  The
+ work thus licensed is called the contributor's "contributor version".
+ .
+ A contributor's "essential patent claims" are all patent claims
+ owned or controlled by the contributor, whether already acquired or
+ hereafter acquired, that would be infringed by some manner, permitted
+ by this License, of making, using, or selling its contributor version,
+ but do not include claims that would be infringed only as a
+ consequence of further modification of the contributor version.  For
+ purposes of this definition, "control" includes the right to grant
+ patent sublicenses in a manner consistent with the requirements of
+ this License.
+ .
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+ patent license under the contributor's essential patent claims, to
+ make, use, sell, offer for sale, import and otherwise run, modify and
+ propagate the contents of its contributor version.
+ .
+ In the following three paragraphs, a "patent license" is any express
+ agreement or commitment, however denominated, not to enforce a patent
+ (such as an express permission to practice a patent or covenant not to
+ sue for patent infringement).  To "grant" such a patent license to a
+ party means to make such an agreement or commitment not to enforce a
+ patent against the party.
+ .
+ If you convey a covered work, knowingly relying on a patent license,
+ and the Corresponding Source of the work is not available for anyone
+ to copy, free of charge and under the terms of this License, through a
+ publicly available network server or other readily accessible means,
+ then you must either (1) cause the Corresponding Source to be so
+ available, or (2) arrange to deprive yourself of the benefit of the
+ patent license for this particular work, or (3) arrange, in a manner
+ consistent with the requirements of this License, to extend the patent
+ license to downstream recipients.  "Knowingly relying" means you have
+ actual knowledge that, but for the patent license, your conveying the
+ covered work in a country, or your recipient's use of the covered work
+ in a country, would infringe one or more identifiable patents in that
+ country that you have reason to believe are valid.
+ .
+ If, pursuant to or in connection with a single transaction or
+ arrangement, you convey, or propagate by procuring conveyance of, a
+ covered work, and grant a patent license to some of the parties
+ receiving the covered work authorizing them to use, propagate, modify
+ or convey a specific copy of the covered work, then the patent license
+ you grant is automatically extended to all recipients of the covered
+ work and works based on it.
+ .
+ A patent license is "discriminatory" if it does not include within
+ the scope of its coverage, prohibits the exercise of, or is
+ conditioned on the non-exercise of one or more of the rights that are
+ specifically granted under this License.  You may not convey a covered
+ work if you are a party to an arrangement with a third party that is
+ in the business of distributing software, under which you make payment
+ to the third party based on the extent of your activity of conveying
+ the work, and under which the third party grants, to any of the
+ parties who would receive the covered work from you, a discriminatory
+ patent license (a) in connection with copies of the covered work
+ conveyed by you (or copies made from those copies), or (b) primarily
+ for and in connection with specific products or compilations that
+ contain the covered work, unless you entered into that arrangement,
+ or that patent license was granted, prior to 28 March 2007.
+ .
+ Nothing in this License shall be construed as excluding or limiting
+ any implied license or other defenses to infringement that may
+ otherwise be available to you under applicable patent law.
+ .
+  12. No Surrender of Others' Freedom.
+ .
+ If conditions are imposed on you (whether by court order, agreement or
+ otherwise) that contradict the conditions of this License, they do not
+ excuse you from the conditions of this License.  If you cannot convey a
+ covered work so as to satisfy simultaneously your obligations under this
+ License and any other pertinent obligations, then as a consequence you may
+ not convey it at all.  For example, if you agree to terms that obligate you
+ to collect a royalty for further conveying from those to whom you convey
+ the Program, the only way you could satisfy both those terms and this
+ License would be to refrain entirely from conveying the Program.
+ .
+  13. Remote Network Interaction; Use with the GNU General Public License.
+ .
+ Notwithstanding any other provision of this License, if you modify the
+ Program, your modified version must prominently offer all users
+ interacting with it remotely through a computer network (if your version
+ supports such interaction) an opportunity to receive the Corresponding
+ Source of your version by providing access to the Corresponding Source
+ from a network server at no charge, through some standard or customary
+ means of facilitating copying of software.  This Corresponding Source
+ shall include the Corresponding Source for any work covered by version 3
+ of the GNU General Public License that is incorporated pursuant to the
+ following paragraph.
+ .
+ Notwithstanding any other provision of this License, you have
+ permission to link or combine any covered work with a work licensed
+ under version 3 of the GNU General Public License into a single
+ combined work, and to convey the resulting work.  The terms of this
+ License will continue to apply to the part which is the covered work,
+ but the work with which it is combined will remain governed by version
+ 3 of the GNU General Public License.
+ .
+ 14. Revised Versions of this License.
+ .
+ The Free Software Foundation may publish revised and/or new versions of
+ the GNU Affero General Public License from time to time.  Such new versions
+ will be similar in spirit to the present version, but may differ in detail to
+ address new problems or concerns.
+ .
+ Each version is given a distinguishing version number.  If the
+ Program specifies that a certain numbered version of the GNU Affero General
+ Public License "or any later version" applies to it, you have the
+ option of following the terms and conditions either of that numbered
+ version or of any later version published by the Free Software
+ Foundation.  If the Program does not specify a version number of the
+ GNU Affero General Public License, you may choose any version ever published
+ by the Free Software Foundation.
+ .
+ If the Program specifies that a proxy can decide which future
+ versions of the GNU Affero General Public License can be used, that proxy's
+ public statement of acceptance of a version permanently authorizes you
+ to choose that version for the Program.
+ .
+ Later license versions may give you additional or different
+ permissions.  However, no additional obligations are imposed on any
+ author or copyright holder as a result of your choosing to follow a
+ later version.
+ .
+  15. Disclaimer of Warranty.
+ .
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+ APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+ HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+ OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+ THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+ IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
  ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  .
- 2. Replacement of Section 16.  Section 16 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  16. Limitation of Liability.
  .
- 16. LIMITATION OF LIABILITY.
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+ THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+ GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+ USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+ DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+ EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
  .
- UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY
- OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE
- LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY
- DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL,
- INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN
- CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH
- THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
- INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
- PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER
- OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH
- DAMAGES COULD HAVE BEEN FORESEEN.
+  17. Interpretation of Sections 15 and 16.
  .
- 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN.  You must reproduce faithfully
- all trademark, copyright and other proprietary and legal notices on any copies
- of the Program or any other required author attributions.  This license does not
- grant you rights to use any copyright holder or any other party's name, logo, or
- trademarks.  Neither the name of the copyright holder or its affiliates, or any
- other party who modifies and/or conveys the Program may be used to endorse or
- promote products derived from this software without specific prior written
- permission.  The origin of the Program must not be misrepresented; you must not
- claim that you wrote the original Program.  Altered source versions must be
- plainly marked as such, and must not be misrepresented as being the original
- Program.
+ If the disclaimer of warranty and limitation of liability provided
+ above cannot be given local legal effect according to their terms,
+ reviewing courts shall apply local law that most closely approximates
+ an absolute waiver of all civil liability in connection with the
+ Program, unless a warranty or assumption of liability accompanies a
+ copy of the Program in return for a fee.
  .
- 4. INDEMNIFICATION.  IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT
- OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK,
- YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND
- AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF
- ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE
- ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR
- IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY.
+                     END OF TERMS AND CONDITIONS
+ .
+            How to Apply These Terms to Your New Programs
+ .
+ If you develop a new program, and you want it to be of the greatest
+ possible use to the public, the best way to achieve this is to make it
+ free software which everyone can redistribute and change under these terms.
+ .
+ To do so, attach the following notices to the program.  It is safest
+ to attach them to the start of each source file to most effectively
+ state the exclusion of warranty; and each file should have at least
+ the "copyright" line and a pointer to where the full notice is found.
+ .
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+ .
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+ .
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+ .
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ .
+ Also add information on how to contact you by electronic and paper mail.
+ .
+ If your software can interact with users remotely through a computer
+ network, you should also make sure that it provides a way for users to
+ get its source.  For example, if your program is a web application, its
+ interface could display a "Source" link that leads users to an archive
+ of the code.  There are many ways you could offer source, and different
+ solutions will be better for different programs; see section 13 for the
+ specific requirements.
+ .
+ You should also get your employer (if you work as a programmer) or school,
+ if any, to sign a "copyright disclaimer" for the program, if necessary.
+ For more information on this, and how to apply and follow the GNU AGPL, see
+ <https://www.gnu.org/licenses/>.

GPLv3

@@ -1,674 +0,0 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.

README_generic.md

@@ -1,33 +1,36 @@
 # Enhances Miscellaneous Security Settings #
 
-https://github.com/Whonix/security-misc/blob/master/README.md
+https://github.com/Kicksecure/security-misc/blob/master/README.md
 
-https://www.whonix.org/wiki/Security-misc
+https://www.kicksecure.com/wiki/Security-misc
+
+Package security-misc-desktop and/or security-misc-server may also be useful.
 
 Discussion:
 
 Happening primarily in Whonix forums.
-https://forums.whonix.org/t/kernel-hardening/7296
+https://forums.whonix.org/t/kernel-hardening-security-misc/7296
+
 ## How to install `security-misc` using apt-get ##
 
-1\. Download Whonix's Signing Key.
+1\. Download the APT Signing Key.
 
 ```
-wget https://www.whonix.org/patrick.asc
+wget https://www.kicksecure.com/keys/derivative.asc
 ```
 
-Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security.
+Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security.
 
-2\. Add Whonix's signing key.
+2\. Add the APT Signing Key.
 
 ```
-sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc
+sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
 ```
 
-3\. Add Whonix's APT repository.
+3\. Add the derivative repository.
 
 ```
-echo "deb https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
+echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
 ```
 
 4\. Update your package lists.
@@ -50,16 +53,18 @@ Can be build using standard Debian package build tools such as:
 dpkg-buildpackage -b
 ```
 
-See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.)
+See instructions.
 
-* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_
-* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package)
+NOTE: Replace `generic-package` with the actual name of this package `security-misc`.
+
+* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_
+* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package)
 
 ## Contact ##
 
-* [Free Forum Support](https://forums.whonix.org)
-* [Professional Support](https://www.whonix.org/wiki/Professional_Support)
+* [Free Forum Support](https://forums.kicksecure.com)
+* [Premium Support](https://www.kicksecure.com/wiki/Premium_Support)
 
 ## Donate ##
 
-`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive!
+`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive!

debian/control

@@ -1,28 +1,79 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@kicksecure.com>
 ## See the file COPYING for copying conditions.
 
 Source: security-misc
 Section: misc
 Priority: optional
-Maintainer: Patrick Schleizer <adrelanos@whonix.org>
-Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor
-Homepage: https://github.com/Whonix/security-misc
-Vcs-Browser: https://github.com/Whonix/security-misc
-Vcs-Git: https://github.com/Whonix/security-misc.git
-Standards-Version: 4.5.1
+Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
+Build-Depends: debhelper (>= 13),
+               debhelper-compat (= 13),
+               dh-apparmor,
+               dh-exec,
+               config-package-dev,
+               po-debconf
+Homepage: https://www.kicksecure.com/wiki/Security-misc
+Vcs-Browser: https://github.com/Kicksecure/security-misc
+Vcs-Git: https://github.com/Kicksecure/security-misc.git
+Standards-Version: 4.7.2
 Rules-Requires-Root: no
 
-Package: security-misc
+## 'Package: security-misc-shared' Comments
+##
+## 'Conflicts: security-misc' is needed.
+## > dpkg-divert: error: 'diversion of /etc/securetty to /etc/securetty.security-misc-orig by security-misc-shared' clashes with 'diversion of /etc/securetty to /etc/securetty.security-misc-orig by security-misc'
+##
+## 'Provides: security-misc' is useful.
+## sudo dpkg -i /home/user/derivative-binary/genmkfile-packages-result/security-misc-shared_47.7-1_all.deb
+## > dpkg: considering removing security-misc in favour of security-misc-shared ...
+## > dpkg: no, cannot proceed with removal of security-misc (--auto-deconfigure will help):
+## > systemcheck depends on security-misc
+## >  security-misc is to be removed
+Package: security-misc-shared
 Architecture: all
-Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
- apparmor-profile-dist, helper-scripts, libpam-modules-bin, ${misc:Depends}
-Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
+Depends: adduser,
+         apparmor-profile-dist,
+         build-essential,
+         dmsetup,
+         helper-scripts,
+         libcap2-bin,
+         libglib2.0-bin,
+         libpam-modules-bin,
+         libpam-runtime,
+         libpam-umask,
+         memlockd,
+         python3,
+         secure-delete,
+         ${misc:Depends}
+Replaces: anon-gpg-tweaks,
+          security-misc,
+          swappiness-lowest,
+          tcp-timestamps-disable
+Conflicts: security-misc
+Provides: security-misc
 Description: Enhances Miscellaneous Security Settings
- https://github.com/Whonix/security-misc/blob/master/README.md
+ https://github.com/Kicksecure/security-misc/blob/master/README.md
  .
- https://www.whonix.org/wiki/Security-misc
+ https://www.kicksecure.com/wiki/Security-misc
+ .
+ Package security-misc-desktop and/or security-misc-server may also be useful.
  .
  Discussion:
  .
  Happening primarily in Whonix forums.
- https://forums.whonix.org/t/kernel-hardening/7296
+ https://forums.whonix.org/t/kernel-hardening-security-misc/7296
+
+Package: security-misc-desktop
+Architecture: all
+Depends: security-misc-shared, ${misc:Depends}
+Description: Security improvements for desktops
+ For desktops.
+ .
+ (Or servers running a desktop?)
+
+Package: security-misc-server
+Architecture: all
+Depends: security-misc-shared, ${misc:Depends}
+Description: Security improvements for servers
+ For servers.
+ .
+ (Or desktops running a server?)

debian/copyright

@@ -1,73 +1,668 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 
 Files: *
-Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-License: GPL-3+-with-additional-terms-1
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+License: AGPL-3+
+
+License: AGPL-3+
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
  .
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
  .
- You should have received a copy of the GNU General Public License
- along with this program.  If not, see <https://www.gnu.org/licenses/>.
+                            Preamble
  .
- On Debian systems, the full text of the GNU General Public
- License version 3 can be found in the file
- `/usr/share/common-licenses/GPL-3'.
+ The GNU Affero General Public License is a free, copyleft license for
+ software and other kinds of works, specifically designed to ensure
+ cooperation with the community in the case of network server software.
  .
- ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7
+ The licenses for most software and other practical works are designed
+ to take away your freedom to share and change the works.  By contrast,
+ our General Public Licenses are intended to guarantee your freedom to
+ share and change all versions of a program--to make sure it remains free
+ software for all its users.
  .
- 1. Replacement of Section 15.  Section 15 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  When we speak of free software, we are referring to freedom, not
+ price.  Our General Public Licenses are designed to make sure that you
+ have the freedom to distribute copies of free software (and charge for
+ them if you wish), that you receive source code or can get it if you
+ want it, that you can change the software or use pieces of it in new
+ free programs, and that you know you can do these things.
  .
- 15. Disclaimer of Warranty.
+  Developers that use our General Public Licenses protect your rights
+ with two steps: (1) assert copyright on the software, and (2) offer
+ you this License which gives you legal permission to copy, distribute
+ and/or modify the software.
  .
- THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED,
- INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY.  THE PROGRAM IS BEING
- DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR
- REPRESENTATION.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ A secondary benefit of defending all users' freedom is that
+ improvements made in alternate versions of the program, if they
+ receive widespread use, become available for other developers to
+ incorporate.  Many developers of free software are heartened and
+ encouraged by the resulting cooperation.  However, in the case of
+ software used on network servers, this result may fail to come about.
+ The GNU General Public License permits making a modified version and
+ letting the public access it on a server without ever releasing its
+ source code to the public.
+ .
+ The GNU Affero General Public License is designed specifically to
+ ensure that, in such cases, the modified source code becomes available
+ to the community.  It requires the operator of a network server to
+ provide the source code of the modified version running there to the
+ users of that server.  Therefore, public use of a modified version, on
+ a publicly accessible server, gives the public access to the source
+ code of the modified version.
+ .
+ An older license, called the Affero General Public License and
+ published by Affero, was designed to accomplish similar goals.  This is
+ a different license, not a version of the Affero GPL, but Affero has
+ released a new version of the Affero GPL which permits relicensing under
+ this license.
+ .
+ The precise terms and conditions for copying, distribution and
+ modification follow.
+ .
+                       TERMS AND CONDITIONS
+ .
+  0. Definitions.
+ .
+  "This License" refers to version 3 of the GNU Affero General Public License.
+ .
+  "Copyright" also means copyright-like laws that apply to other kinds of
+ works, such as semiconductor masks.
+ .
+ "The Program" refers to any copyrightable work licensed under this
+ License.  Each licensee is addressed as "you".  "Licensees" and
+ "recipients" may be individuals or organizations.
+ .
+ To "modify" a work means to copy from or adapt all or part of the work
+ in a fashion requiring copyright permission, other than the making of an
+ exact copy.  The resulting work is called a "modified version" of the
+ earlier work or a work "based on" the earlier work.
+ .
+ A "covered work" means either the unmodified Program or a work based
+ on the Program.
+ .
+ To "propagate" a work means to do anything with it that, without
+ permission, would make you directly or secondarily liable for
+ infringement under applicable copyright law, except executing it on a
+ computer or modifying a private copy.  Propagation includes copying,
+ distribution (with or without modification), making available to the
+ public, and in some countries other activities as well.
+ .
+ To "convey" a work means any kind of propagation that enables other
+ parties to make or receive copies.  Mere interaction with a user through
+ a computer network, with no transfer of a copy, is not conveying.
+ .
+ An interactive user interface displays "Appropriate Legal Notices"
+ to the extent that it includes a convenient and prominently visible
+ feature that (1) displays an appropriate copyright notice, and (2)
+ tells the user that there is no warranty for the work (except to the
+ extent that warranties are provided), that licensees may convey the
+ work under this License, and how to view a copy of this License.  If
+ the interface presents a list of user commands or options, such as a
+ menu, a prominent item in the list meets this criterion.
+ .
+ 1. Source Code.
+ .
+ The "source code" for a work means the preferred form of the work
+ for making modifications to it.  "Object code" means any non-source
+ form of a work.
+ .
+ A "Standard Interface" means an interface that either is an official
+ standard defined by a recognized standards body, or, in the case of
+ interfaces specified for a particular programming language, one that
+ is widely used among developers working in that language.
+ .
+ The "System Libraries" of an executable work include anything, other
+ than the work as a whole, that (a) is included in the normal form of
+ packaging a Major Component, but which is not part of that Major
+ Component, and (b) serves only to enable use of the work with that
+ Major Component, or to implement a Standard Interface for which an
+ implementation is available to the public in source code form.  A
+ "Major Component", in this context, means a major essential component
+ (kernel, window system, and so on) of the specific operating system
+ (if any) on which the executable work runs, or a compiler used to
+ produce the work, or an object code interpreter used to run it.
+ .
+ The "Corresponding Source" for a work in object code form means all
+ the source code needed to generate, install, and (for an executable
+ work) run the object code and to modify the work, including scripts to
+ control those activities.  However, it does not include the work's
+ System Libraries, or general-purpose tools or generally available free
+ programs which are used unmodified in performing those activities but
+ which are not part of the work.  For example, Corresponding Source
+ includes interface definition files associated with source files for
+ the work, and the source code for shared libraries and dynamically
+ linked subprograms that the work is specifically designed to require,
+ such as by intimate data communication or control flow between those
+ subprograms and other parts of the work.
+ .
+ The Corresponding Source need not include anything that users
+ can regenerate automatically from other parts of the Corresponding
+ Source.
+ .
+ The Corresponding Source for a work in source code form is that
+ same work.
+ .
+  2. Basic Permissions.
+ .
+  All rights granted under this License are granted for the term of
+ copyright on the Program, and are irrevocable provided the stated
+ conditions are met.  This License explicitly affirms your unlimited
+ permission to run the unmodified Program.  The output from running a
+ covered work is covered by this License only if the output, given its
+ content, constitutes a covered work.  This License acknowledges your
+ rights of fair use or other equivalent, as provided by copyright law.
+ .
+ You may make, run and propagate covered works that you do not
+ convey, without conditions so long as your license otherwise remains
+ in force.  You may convey covered works to others for the sole purpose
+ of having them make modifications exclusively for you, or provide you
+ with facilities for running those works, provided that you comply with
+ the terms of this License in conveying all material for which you do
+ not control copyright.  Those thus making or running the covered works
+ for you must do so exclusively on your behalf, under your direction
+ and control, on terms that prohibit them from making any copies of
+ your copyrighted material outside their relationship with you.
+ .
+ Conveying under any other circumstances is permitted solely under
+ the conditions stated below.  Sublicensing is not allowed; section 10
+ makes it unnecessary.
+ .
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+ .
+ No covered work shall be deemed part of an effective technological
+ measure under any applicable law fulfilling obligations under article
+ 11 of the WIPO copyright treaty adopted on 20 December 1996, or
+ similar laws prohibiting or restricting circumvention of such
+ measures.
+ .
+ When you convey a covered work, you waive any legal power to forbid
+ circumvention of technological measures to the extent such circumvention
+ is effected by exercising rights under this License with respect to
+ the covered work, and you disclaim any intention to limit operation or
+ modification of the work as a means of enforcing, against the work's
+ users, your or third parties' legal rights to forbid circumvention of
+ technological measures.
+ .
+  4. Conveying Verbatim Copies.
+ .
+ You may convey verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and
+ appropriately publish on each copy an appropriate copyright notice;
+ keep intact all notices stating that this License and any
+ non-permissive terms added in accord with section 7 apply to the code;
+ keep intact all notices of the absence of any warranty; and give all
+ recipients a copy of this License along with the Program.
+ .
+ You may charge any price or no price for each copy that you convey,
+ and you may offer support or warranty protection for a fee.
+ .
+  5. Conveying Modified Source Versions.
+ .
+ You may convey a work based on the Program, or the modifications to
+ produce it from the Program, in the form of source code under the
+ terms of section 4, provided that you also meet all of these conditions:
+ .
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+ .
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+ .
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+ .
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+ .
+ A compilation of a covered work with other separate and independent
+ works, which are not by their nature extensions of the covered work,
+ and which are not combined with it such as to form a larger program,
+ in or on a volume of a storage or distribution medium, is called an
+ "aggregate" if the compilation and its resulting copyright are not
+ used to limit the access or legal rights of the compilation's users
+ beyond what the individual works permit.  Inclusion of a covered work
+ in an aggregate does not cause this License to apply to the other
+ parts of the aggregate.
+ .
+  6. Conveying Non-Source Forms.
+ .
+ You may convey a covered work in object code form under the terms
+ of sections 4 and 5, provided that you also convey the
+ machine-readable Corresponding Source under the terms of this License,
+ in one of these ways:
+ .
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+ .
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+ .
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+ .
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+ .
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+ .
+ A separable portion of the object code, whose source code is excluded
+ from the Corresponding Source as a System Library, need not be
+ included in conveying the object code work.
+ .
+ A "User Product" is either (1) a "consumer product", which means any
+ tangible personal property which is normally used for personal, family,
+ or household purposes, or (2) anything designed or sold for incorporation
+ into a dwelling.  In determining whether a product is a consumer product,
+ doubtful cases shall be resolved in favor of coverage.  For a particular
+  product received by a particular user, "normally used" refers to a
+ typical or common use of that class of product, regardless of the status
+ of the particular user or of the way in which the particular user
+ actually uses, or expects or is expected to use, the product.  A product
+ is a consumer product regardless of whether the product has substantial
+ commercial, industrial or non-consumer uses, unless such uses represent
+ the only significant mode of use of the product.
+ .
+ "Installation Information" for a User Product means any methods,
+ procedures, authorization keys, or other information required to install
+ and execute modified versions of a covered work in that User Product from
+ a modified version of its Corresponding Source.  The information must
+ suffice to ensure that the continued functioning of the modified object
+ code is in no case prevented or interfered with solely because
+ modification has been made.
+ .
+ If you convey an object code work under this section in, or with, or
+ specifically for use in, a User Product, and the conveying occurs as
+ part of a transaction in which the right of possession and use of the
+ User Product is transferred to the recipient in perpetuity or for a
+ fixed term (regardless of how the transaction is characterized), the
+ Corresponding Source conveyed under this section must be accompanied
+ by the Installation Information.  But this requirement does not apply
+ if neither you nor any third party retains the ability to install
+ modified object code on the User Product (for example, the work has
+ been installed in ROM).
+ .
+ The requirement to provide Installation Information does not include a
+ requirement to continue to provide support service, warranty, or updates
+ for a work that has been modified or installed by the recipient, or for
+ the User Product in which it has been modified or installed.  Access to a
+ network may be denied when the modification itself materially and
+ adversely affects the operation of the network or violates the rules and
+ protocols for communication across the network.
+ .
+ Corresponding Source conveyed, and Installation Information provided,
+ in accord with this section must be in a format that is publicly
+ documented (and with an implementation available to the public in
+ source code form), and must require no special password or key for
+ unpacking, reading or copying.
+ .
+  7. Additional Terms.
+ .
+ "Additional permissions" are terms that supplement the terms of this
+ License by making exceptions from one or more of its conditions.
+ Additional permissions that are applicable to the entire Program shall
+ be treated as though they were included in this License, to the extent
+ that they are valid under applicable law.  If additional permissions
+ apply only to part of the Program, that part may be used separately
+ under those permissions, but the entire Program remains governed by
+ this License without regard to the additional permissions.
+ .
+ When you convey a copy of a covered work, you may at your option
+ remove any additional permissions from that copy, or from any part of
+ it.  (Additional permissions may be written to require their own
+ removal in certain cases when you modify the work.)  You may place
+ additional permissions on material, added by you to a covered work,
+ for which you have or can give appropriate copyright permission.
+ .
+ Notwithstanding any other provision of this License, for material you
+ add to a covered work, you may (if authorized by the copyright holders of
+ that material) supplement the terms of this License with terms:
+ .
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+ .
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+ .
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+ .
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+ .
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+ .
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+ .
+ All other non-permissive additional terms are considered "further
+ restrictions" within the meaning of section 10.  If the Program as you
+ received it, or any part of it, contains a notice stating that it is
+ governed by this License along with a term that is a further
+ restriction, you may remove that term.  If a license document contains
+ a further restriction but permits relicensing or conveying under this
+ License, you may add to a covered work material governed by the terms
+ of that license document, provided that the further restriction does
+ not survive such relicensing or conveying.
+ .
+ If you add terms to a covered work in accord with this section, you
+ must place, in the relevant source files, a statement of the
+ additional terms that apply to those files, or a notice indicating
+ where to find the applicable terms.
+ .
+ Additional terms, permissive or non-permissive, may be stated in the
+ form of a separately written license, or stated as exceptions;
+ the above requirements apply either way.
+ .
+  8. Termination.
+ .
+ You may not propagate or modify a covered work except as expressly
+ provided under this License.  Any attempt otherwise to propagate or
+ modify it is void, and will automatically terminate your rights under
+ this License (including any patent licenses granted under the third
+ paragraph of section 11).
+ .
+ However, if you cease all violation of this License, then your
+ license from a particular copyright holder is reinstated (a)
+ provisionally, unless and until the copyright holder explicitly and
+ finally terminates your license, and (b) permanently, if the copyright
+ holder fails to notify you of the violation by some reasonable means
+ prior to 60 days after the cessation.
+ .
+ Moreover, your license from a particular copyright holder is
+ reinstated permanently if the copyright holder notifies you of the
+ violation by some reasonable means, this is the first time you have
+ received notice of violation of this License (for any work) from that
+ copyright holder, and you cure the violation prior to 30 days after
+ your receipt of the notice.
+ .
+ Termination of your rights under this section does not terminate the
+ licenses of parties who have received copies or rights from you under
+ this License.  If your rights have been terminated and not permanently
+ reinstated, you do not qualify to receive new licenses for the same
+ material under section 10.
+ .
+  9. Acceptance Not Required for Having Copies.
+ .
+ You are not required to accept this License in order to receive or
+ run a copy of the Program.  Ancillary propagation of a covered work
+ occurring solely as a consequence of using peer-to-peer transmission
+ to receive a copy likewise does not require acceptance.  However,
+ nothing other than this License grants you permission to propagate or
+ modify any covered work.  These actions infringe copyright if you do
+ not accept this License.  Therefore, by modifying or propagating a
+ covered work, you indicate your acceptance of this License to do so.
+ .
+  10. Automatic Licensing of Downstream Recipients.
+ .
+ Each time you convey a covered work, the recipient automatically
+ receives a license from the original licensors, to run, modify and
+ propagate that work, subject to this License.  You are not responsible
+ for enforcing compliance by third parties with this License.
+ .
+ An "entity transaction" is a transaction transferring control of an
+ organization, or substantially all assets of one, or subdividing an
+ organization, or merging organizations.  If propagation of a covered
+ work results from an entity transaction, each party to that
+ transaction who receives a copy of the work also receives whatever
+ licenses to the work the party's predecessor in interest had or could
+ give under the previous paragraph, plus a right to possession of the
+ Corresponding Source of the work from the predecessor in interest, if
+ the predecessor has it or can get it with reasonable efforts.
+ .
+  You may not impose any further restrictions on the exercise of the
+ rights granted or affirmed under this License.  For example, you may
+ not impose a license fee, royalty, or other charge for exercise of
+ rights granted under this License, and you may not initiate litigation
+ (including a cross-claim or counterclaim in a lawsuit) alleging that
+ any patent claim is infringed by making, using, selling, offering for
+ sale, or importing the Program or any portion of it.
+ .
+  11. Patents.
+ .
+ A "contributor" is a copyright holder who authorizes use under this
+ License of the Program or a work on which the Program is based.  The
+ work thus licensed is called the contributor's "contributor version".
+ .
+ A contributor's "essential patent claims" are all patent claims
+ owned or controlled by the contributor, whether already acquired or
+ hereafter acquired, that would be infringed by some manner, permitted
+ by this License, of making, using, or selling its contributor version,
+ but do not include claims that would be infringed only as a
+ consequence of further modification of the contributor version.  For
+ purposes of this definition, "control" includes the right to grant
+ patent sublicenses in a manner consistent with the requirements of
+ this License.
+ .
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+ patent license under the contributor's essential patent claims, to
+ make, use, sell, offer for sale, import and otherwise run, modify and
+ propagate the contents of its contributor version.
+ .
+ In the following three paragraphs, a "patent license" is any express
+ agreement or commitment, however denominated, not to enforce a patent
+ (such as an express permission to practice a patent or covenant not to
+ sue for patent infringement).  To "grant" such a patent license to a
+ party means to make such an agreement or commitment not to enforce a
+ patent against the party.
+ .
+ If you convey a covered work, knowingly relying on a patent license,
+ and the Corresponding Source of the work is not available for anyone
+ to copy, free of charge and under the terms of this License, through a
+ publicly available network server or other readily accessible means,
+ then you must either (1) cause the Corresponding Source to be so
+ available, or (2) arrange to deprive yourself of the benefit of the
+ patent license for this particular work, or (3) arrange, in a manner
+ consistent with the requirements of this License, to extend the patent
+ license to downstream recipients.  "Knowingly relying" means you have
+ actual knowledge that, but for the patent license, your conveying the
+ covered work in a country, or your recipient's use of the covered work
+ in a country, would infringe one or more identifiable patents in that
+ country that you have reason to believe are valid.
+ .
+ If, pursuant to or in connection with a single transaction or
+ arrangement, you convey, or propagate by procuring conveyance of, a
+ covered work, and grant a patent license to some of the parties
+ receiving the covered work authorizing them to use, propagate, modify
+ or convey a specific copy of the covered work, then the patent license
+ you grant is automatically extended to all recipients of the covered
+ work and works based on it.
+ .
+ A patent license is "discriminatory" if it does not include within
+ the scope of its coverage, prohibits the exercise of, or is
+ conditioned on the non-exercise of one or more of the rights that are
+ specifically granted under this License.  You may not convey a covered
+ work if you are a party to an arrangement with a third party that is
+ in the business of distributing software, under which you make payment
+ to the third party based on the extent of your activity of conveying
+ the work, and under which the third party grants, to any of the
+ parties who would receive the covered work from you, a discriminatory
+ patent license (a) in connection with copies of the covered work
+ conveyed by you (or copies made from those copies), or (b) primarily
+ for and in connection with specific products or compilations that
+ contain the covered work, unless you entered into that arrangement,
+ or that patent license was granted, prior to 28 March 2007.
+ .
+ Nothing in this License shall be construed as excluding or limiting
+ any implied license or other defenses to infringement that may
+ otherwise be available to you under applicable patent law.
+ .
+  12. No Surrender of Others' Freedom.
+ .
+ If conditions are imposed on you (whether by court order, agreement or
+ otherwise) that contradict the conditions of this License, they do not
+ excuse you from the conditions of this License.  If you cannot convey a
+ covered work so as to satisfy simultaneously your obligations under this
+ License and any other pertinent obligations, then as a consequence you may
+ not convey it at all.  For example, if you agree to terms that obligate you
+ to collect a royalty for further conveying from those to whom you convey
+ the Program, the only way you could satisfy both those terms and this
+ License would be to refrain entirely from conveying the Program.
+ .
+  13. Remote Network Interaction; Use with the GNU General Public License.
+ .
+ Notwithstanding any other provision of this License, if you modify the
+ Program, your modified version must prominently offer all users
+ interacting with it remotely through a computer network (if your version
+ supports such interaction) an opportunity to receive the Corresponding
+ Source of your version by providing access to the Corresponding Source
+ from a network server at no charge, through some standard or customary
+ means of facilitating copying of software.  This Corresponding Source
+ shall include the Corresponding Source for any work covered by version 3
+ of the GNU General Public License that is incorporated pursuant to the
+ following paragraph.
+ .
+ Notwithstanding any other provision of this License, you have
+ permission to link or combine any covered work with a work licensed
+ under version 3 of the GNU General Public License into a single
+ combined work, and to convey the resulting work.  The terms of this
+ License will continue to apply to the part which is the covered work,
+ but the work with which it is combined will remain governed by version
+ 3 of the GNU General Public License.
+ .
+ 14. Revised Versions of this License.
+ .
+ The Free Software Foundation may publish revised and/or new versions of
+ the GNU Affero General Public License from time to time.  Such new versions
+ will be similar in spirit to the present version, but may differ in detail to
+ address new problems or concerns.
+ .
+ Each version is given a distinguishing version number.  If the
+ Program specifies that a certain numbered version of the GNU Affero General
+ Public License "or any later version" applies to it, you have the
+ option of following the terms and conditions either of that numbered
+ version or of any later version published by the Free Software
+ Foundation.  If the Program does not specify a version number of the
+ GNU Affero General Public License, you may choose any version ever published
+ by the Free Software Foundation.
+ .
+ If the Program specifies that a proxy can decide which future
+ versions of the GNU Affero General Public License can be used, that proxy's
+ public statement of acceptance of a version permanently authorizes you
+ to choose that version for the Program.
+ .
+ Later license versions may give you additional or different
+ permissions.  However, no additional obligations are imposed on any
+ author or copyright holder as a result of your choosing to follow a
+ later version.
+ .
+  15. Disclaimer of Warranty.
+ .
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+ APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+ HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+ OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+ THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+ IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
  ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  .
- 2. Replacement of Section 16.  Section 16 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  16. Limitation of Liability.
  .
- 16. LIMITATION OF LIABILITY.
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+ THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+ GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+ USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+ DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+ EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
  .
- UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY
- OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE
- LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY
- DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL,
- INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN
- CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH
- THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
- INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
- PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER
- OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH
- DAMAGES COULD HAVE BEEN FORESEEN.
+  17. Interpretation of Sections 15 and 16.
  .
- 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN.  You must reproduce faithfully
- all trademark, copyright and other proprietary and legal notices on any copies
- of the Program or any other required author attributions.  This license does not
- grant you rights to use any copyright holder or any other party's name, logo, or
- trademarks.  Neither the name of the copyright holder or its affiliates, or any
- other party who modifies and/or conveys the Program may be used to endorse or
- promote products derived from this software without specific prior written
- permission.  The origin of the Program must not be misrepresented; you must not
- claim that you wrote the original Program.  Altered source versions must be
- plainly marked as such, and must not be misrepresented as being the original
- Program.
+ If the disclaimer of warranty and limitation of liability provided
+ above cannot be given local legal effect according to their terms,
+ reviewing courts shall apply local law that most closely approximates
+ an absolute waiver of all civil liability in connection with the
+ Program, unless a warranty or assumption of liability accompanies a
+ copy of the Program in return for a fee.
  .
- 4. INDEMNIFICATION.  IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT
- OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK,
- YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND
- AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF
- ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE
- ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR
- IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY.
+                     END OF TERMS AND CONDITIONS
+ .
+            How to Apply These Terms to Your New Programs
+ .
+ If you develop a new program, and you want it to be of the greatest
+ possible use to the public, the best way to achieve this is to make it
+ free software which everyone can redistribute and change under these terms.
+ .
+ To do so, attach the following notices to the program.  It is safest
+ to attach them to the start of each source file to most effectively
+ state the exclusion of warranty; and each file should have at least
+ the "copyright" line and a pointer to where the full notice is found.
+ .
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+ .
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+ .
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+ .
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ .
+ Also add information on how to contact you by electronic and paper mail.
+ .
+ If your software can interact with users remotely through a computer
+ network, you should also make sure that it provides a way for users to
+ get its source.  For example, if your program is a web application, its
+ interface could display a "Source" link that leads users to an archive
+ of the code.  There are many ways you could offer source, and different
+ solutions will be better for different programs; see section 13 for the
+ specific requirements.
+ .
+ You should also get your employer (if you work as a programmer) or school,
+ if any, to sign a "copyright disclaimer" for the program, if necessary.
+ For more information on this, and how to apply and follow the GNU AGPL, see
+ <https://www.gnu.org/licenses/>.

debian/make-helper-overrides.bsh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24
-genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file"
+genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation"

debian/po/POTFILES.in

@@ -0,0 +1 @@
+[type: gettext/rfc822deb] security-misc-shared.templates

debian/po/templates.pot

@@ -0,0 +1,36 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the security-misc-shared package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: security-misc-shared\n"
+"Report-Msgid-Bugs-To: security-misc-shared@packages.debian.org\n"
+"POT-Creation-Date: 2025-01-14 09:31-0500\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: note
+#. Description
+#: ../security-misc-shared.templates:1001
+msgid "Manual intervention may be required for permission-hardener update"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../security-misc-shared.templates:1001
+msgid ""
+"No need to panic. Nothing is broken. A rare condition has been encountered. "
+"permission-hardener is being updated to fix a minor bug that caused "
+"corruption in the permission-hardener state file. If you installed your own "
+"custom permission-hardener configuration, some manual intervention may be "
+"required. See: https://www.kicksecure.com/wiki/"
+"SUID_Disabler_and_Permission_Hardener#fixing_state_files"
+msgstr ""

debian/rules

@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 #export DH_VERBOSE=1

debian/security-misc-desktop.install

@@ -0,0 +1,12 @@
+#!/usr/bin/dh-exec
+
+## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file was generated using 'genmkfile debinstfile'.
+
+etc/bluetooth/30_security-misc.conf#security-misc-desktop => /etc/bluetooth/30_security-misc.conf
+etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop
+usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf
+usr/lib/NetworkManager/conf.d/80_randomize-mac.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf
+usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop => /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf

debian/security-misc-server.install

@@ -0,0 +1,8 @@
+#!/usr/bin/dh-exec
+
+## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file was generated using 'genmkfile debinstfile'.
+
+usr/libexec/security-misc/placeholder#security-misc-server => /usr/libexec/security-misc/placeholder

debian/security-misc-shared.config

@@ -0,0 +1,190 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
+fi
+
+source /usr/share/debconf/confmodule
+
+set -e
+
+## Not set by DPKG for '.config' script.
+DPKG_MAINTSCRIPT_PACKAGE="security-misc-shared"
+DPKG_MAINTSCRIPT_NAME="config"
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
+#####################################################################
+"
+
+## NOTE: Code duplication.
+## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.sh
+##
+## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient.
+## Therefore the code is duplicated here.
+pkg_installed() {
+   local package_name dpkg_query_output
+   local requested_action status error_state
+
+   package_name="$1"
+   ## Cannot use '&>' because it is a bashism.
+   dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true
+   ## dpkg_query_output Examples:
+   ## install ok half-configured
+   ## install ok installed
+
+   requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}')
+   status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}')
+   error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}')
+
+   if [ "$requested_action" = 'install' ]; then
+      true "$0: INFO: $package_name is installed, ok."
+      return 0
+   fi
+
+   true "$0: INFO: $package_name is not installed, ok."
+   return 1
+}
+
+check_migrate_permission_hardener_state() {
+   local pkg_list modified_pkg_data_str custom_hardening_arr config_file
+
+   ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
+   if [ ! -d '/var/lib/permission-hardener' ]; then
+      return 0
+   fi
+
+   local orig_hardening_arr custom_hardening_arr config_file custom_config_file
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   orig_hardening_arr=(
+      '/usr/lib/permission-hardener.d/25_default_passwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+      '/usr/lib/permission-hardener.d/30_ping.conf'
+      '/usr/lib/permission-hardener.d/30_default.conf'
+      '/etc/permission-hardener.d/25_default_passwd.conf'
+      '/etc/permission-hardener.d/25_default_sudo.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_mount.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_pam.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_spice.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+      '/etc/permission-hardener.d/20_user-sysmaint-split.conf'
+      '/etc/permission-hardener.d/30_ping.conf'
+      '/etc/permission-hardener.d/30_default.conf'
+   )
+
+   pkg_list=( "security-misc-shared" )
+   if pkg_installed user-sysmaint-split ; then
+      pkg_list+=( "user-sysmaint-split" )
+   fi
+   if pkg_installed anon-apps-config ; then
+      pkg_list+=( "anon-apps-config" )
+   fi
+
+   ## This will exit non-zero if some of the packages don't exist, but we
+   ## don't care. The packages that *are* installed will still be scanned.
+   modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true
+
+   ## Example modified_pkg_data_str:
+   #modified_pkg_data_str='missing     /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+
+   readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")
+
+   ## If the above `dpkg --verify` command doesn't return any permission-hardener
+   ## related lines, the array will contain no meaningful info, just a single
+   ## blank element at the start. Set the array to be explicitly empty in
+   ## this scenario.
+   if [ -z "${custom_hardening_arr[0]}" ]; then
+      custom_hardening_arr=()
+   fi
+
+   for config_file in \
+      /usr/lib/permission-hardener.d/*.conf \
+      /etc/permission-hardener.d/*.conf \
+      /usr/local/etc/permission-hardener.d/*.conf \
+      /etc/permission-hardening.d/*.conf \
+      /usr/local/etc/permission-hardening.d/*.conf
+   do
+      # shellcheck disable=SC2076
+      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
+         if [ -f "${config_file}" ]; then
+            custom_hardening_arr+=( "${config_file}" )
+         fi
+      fi
+   done
+
+   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
+      for custom_config_file in "${custom_hardening_arr[@]}"; do
+         if ! test -e "${custom_config_file}" ; then
+            echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'"
+         else
+            echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'"
+         fi
+      done
+      ## db_input will return code 30 if the message won't be displayed, which
+      ## causes a non-interactive install to error out if you don't use || true
+      db_input critical security-misc-shared/alert-on-permission-hardener-v2-upgrade || true
+      ## db_go can return code 30 too in some instances, we don't care here
+      # shellcheck disable=SC2119
+      db_go || true
+   fi
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2"
+}
+
+check_migrate_permission_hardener_state
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0

debian/security-misc-shared.displace

@@ -0,0 +1,7 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+/etc/securetty.security-misc
+/etc/security/faillock.conf.security-misc
+/etc/usbguard/usbguard-daemon.conf.security-misc
+/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc

debian/security-misc-shared.gconf-defaults

@@ -0,0 +1,6 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+/apps/nautilus/preview_sound never
+/apps/nautilus/show_icon_text never
+/apps/nautilus/show-image-thumbnails never

debian/security-misc-shared.hide

@@ -0,0 +1,6 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Allows users in the 'sudo' group to install Flatpak software without
+## authorization. Breaks user/sysmaint separation, thus disabled.
+/usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules

debian/security-misc-shared.install

@@ -0,0 +1,144 @@
+#!/usr/bin/dh-exec
+
+## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file was generated using 'genmkfile debinstfile'.
+
+etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared => /etc/apparmor.d/tunables/home.d/security-misc
+etc/apt/apt.conf.d/40error-on-any#security-misc-shared => /etc/apt/apt.conf.d/40error-on-any
+etc/apt/apt.conf.d/40sandbox#security-misc-shared => /etc/apt/apt.conf.d/40sandbox
+etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared => /etc/default/grub.d/40_cpu_mitigations.cfg
+etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared => /etc/default/grub.d/40_kernel_hardening.cfg
+etc/default/grub.d/40_remount_secure.cfg#security-misc-shared => /etc/default/grub.d/40_remount_secure.cfg
+etc/default/grub.d/40_signed_modules.cfg#security-misc-shared => /etc/default/grub.d/40_signed_modules.cfg
+etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared => /etc/default/grub.d/41_quiet_boot.cfg
+etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared => /etc/default/grub.d/41_recovery_restrict.cfg
+etc/dracut.conf.d/30-security-misc.conf#security-misc-shared => /etc/dracut.conf.d/30-security-misc.conf
+etc/gitconfig#security-misc-shared => /etc/gitconfig
+etc/hide-hardware-info.d/30_default.conf#security-misc-shared => /etc/hide-hardware-info.d/30_default.conf
+etc/kernel/postinst.d/30_remove-system-map#security-misc-shared => /etc/kernel/postinst.d/30_remove-system-map
+etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_blacklist.conf
+etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_conntrack.conf
+etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_disable.conf
+etc/profile.d/30_security-misc.sh#security-misc-shared => /etc/profile.d/30_security-misc.sh
+etc/securetty.security-misc#security-misc-shared => /etc/securetty.security-misc
+etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared => /etc/security-misc/emerg-shutdown/30_security_misc.conf
+etc/security/access-security-misc.conf#security-misc-shared => /etc/security/access-security-misc.conf
+etc/security/faillock.conf.security-misc#security-misc-shared => /etc/security/faillock.conf.security-misc
+etc/security/limits.d/30_security-misc.conf#security-misc-shared => /etc/security/limits.d/30_security-misc.conf
+etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared => /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+etc/skel/.gnupg/gpg.conf#security-misc-shared => /etc/skel/.gnupg/gpg.conf
+etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/ssh_config.d/30_security-misc.conf
+etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/sshd_config.d/30_security-misc.conf
+etc/sudoers.d/security-misc#security-misc-shared => /etc/sudoers.d/security-misc
+etc/systemd/system/emergency.service.d/override.conf#security-misc-shared => /etc/systemd/system/emergency.service.d/override.conf
+etc/systemd/system/rescue.service.d/override.conf#security-misc-shared => /etc/systemd/system/rescue.service.d/override.conf
+etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:qubes
+etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:sudo
+etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared => /etc/usbguard/rules.d/30_security-misc.conf
+etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared => /etc/usbguard/usbguard-daemon.conf.security-misc
+usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared => /usr/bin/disabled-bluetooth-by-security-misc
+usr/bin/disabled-cdrom-by-security-misc#security-misc-shared => /usr/bin/disabled-cdrom-by-security-misc
+usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared => /usr/bin/disabled-cpumsr-by-security-misc
+usr/bin/disabled-filesys-by-security-misc#security-misc-shared => /usr/bin/disabled-filesys-by-security-misc
+usr/bin/disabled-firewire-by-security-misc#security-misc-shared => /usr/bin/disabled-firewire-by-security-misc
+usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared => /usr/bin/disabled-framebuffer-by-security-misc
+usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc
+usr/bin/disabled-intelme-by-security-misc#security-misc-shared => /usr/bin/disabled-intelme-by-security-misc
+usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared => /usr/bin/disabled-intelpmt-by-security-misc
+usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared => /usr/bin/disabled-miscellaneous-by-security-misc
+usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc
+usr/bin/disabled-network-by-security-misc#security-misc-shared => /usr/bin/disabled-network-by-security-misc
+usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared => /usr/bin/disabled-thunderbolt-by-security-misc
+usr/bin/permission-hardener#security-misc-shared => /usr/bin/permission-hardener
+usr/bin/remount-secure#security-misc-shared => /usr/bin/remount-secure
+usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh#security-misc-shared => /usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh
+usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh#security-misc-shared => /usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh
+usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh#security-misc-shared => /usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh
+usr/lib/issue.d/20_security-misc.issue#security-misc-shared => /usr/lib/issue.d/20_security-misc.issue
+usr/lib/modules-load.d/30_security-misc.conf#security-misc-shared => /usr/lib/modules-load.d/30_security-misc.conf
+usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf
+usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf
+usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf
+usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf
+usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf
+usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf
+usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_mount.conf
+usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_pam.conf
+usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf
+usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf
+usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf
+usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf
+usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf
+usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_spice.conf
+usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf
+usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf
+usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf
+usr/lib/permission-hardener.d/30_default.conf#security-misc-shared => /usr/lib/permission-hardener.d/30_default.conf
+usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf
+usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared => /usr/lib/sysctl.d/30_silent-kernel-printk.conf
+usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf
+usr/lib/systemd/coredump.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/coredump.conf.d/30_security-misc.conf
+usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/pstore.conf.d/30_security-misc.conf
+usr/lib/systemd/system-preset/50-security-misc.preset#security-misc-shared => /usr/lib/systemd/system-preset/50-security-misc.preset
+usr/lib/systemd/system/block-shutdown.service#security-misc-shared => /usr/lib/systemd/system/block-shutdown.service
+usr/lib/systemd/system/emerg-shutdown.service#security-misc-shared => /usr/lib/systemd/system/emerg-shutdown.service
+usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown-trigger.service
+usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown.service
+usr/lib/systemd/system/harden-module-loading.service#security-misc-shared => /usr/lib/systemd/system/harden-module-loading.service
+usr/lib/systemd/system/haveged.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/haveged.service.d/30_security-misc.conf
+usr/lib/systemd/system/hide-hardware-info.service#security-misc-shared => /usr/lib/systemd/system/hide-hardware-info.service
+usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared => /usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service
+usr/lib/systemd/system/panic-on-oops.service#security-misc-shared => /usr/lib/systemd/system/panic-on-oops.service
+usr/lib/systemd/system/permission-hardener.service#security-misc-shared => /usr/lib/systemd/system/permission-hardener.service
+usr/lib/systemd/system/proc-hidepid.service#security-misc-shared => /usr/lib/systemd/system/proc-hidepid.service
+usr/lib/systemd/system/remount-secure.service#security-misc-shared => /usr/lib/systemd/system/remount-secure.service
+usr/lib/systemd/system/remove-system-map.service#security-misc-shared => /usr/lib/systemd/system/remove-system-map.service
+usr/lib/systemd/system/sysinit-post.target#security-misc-shared => /usr/lib/systemd/system/sysinit-post.target
+usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf
+usr/lib/systemd/system/user@.service.d/sysfs.conf#security-misc-shared => /usr/lib/systemd/system/user@.service.d/sysfs.conf
+usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf
+usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared => /usr/lib/udev/rules.d/95-emerg-shutdown.rules
+usr/libexec/security-misc/askpass#security-misc-shared => /usr/libexec/security-misc/askpass
+usr/libexec/security-misc/block-unsafe-logins#security-misc-shared => /usr/libexec/security-misc/block-unsafe-logins
+usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller
+usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => /usr/libexec/security-misc/disable-kernel-module-loading
+usr/libexec/security-misc/echo-path#security-misc-shared => /usr/libexec/security-misc/echo-path
+usr/libexec/security-misc/emerg-shutdown#security-misc-shared => /usr/libexec/security-misc/emerg-shutdown
+usr/libexec/security-misc/ensure-shutdown#security-misc-shared => /usr/libexec/security-misc/ensure-shutdown
+usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info
+usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared => /usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown
+usr/libexec/security-misc/mmap-rnd-bits#security-misc-shared => /usr/libexec/security-misc/mmap-rnd-bits
+usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared => /usr/libexec/security-misc/pam-abort-on-locked-password
+usr/libexec/security-misc/pam-info#security-misc-shared => /usr/libexec/security-misc/pam-info
+usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x
+usr/libexec/security-misc/pam_only_if_login#security-misc-shared => /usr/libexec/security-misc/pam_only_if_login
+usr/libexec/security-misc/pam_only_if_su#security-misc-shared => /usr/libexec/security-misc/pam_only_if_su
+usr/libexec/security-misc/panic-on-oops#security-misc-shared => /usr/libexec/security-misc/panic-on-oops
+usr/libexec/security-misc/permission-lockdown#security-misc-shared => /usr/libexec/security-misc/permission-lockdown
+usr/libexec/security-misc/remove-system.map#security-misc-shared => /usr/libexec/security-misc/remove-system.map
+usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget
+usr/share/doc/security-misc/fstab-vm#security-misc-shared => /usr/share/doc/security-misc/fstab-vm
+usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
+usr/share/lintian/overrides/security-misc-shared#security-misc-shared => /usr/share/lintian/overrides/security-misc-shared
+usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared => /usr/share/pam-configs/block-unsafe-logins-security-misc
+usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared => /usr/share/pam-configs/console-lockdown-security-misc
+usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared => /usr/share/pam-configs/faillock-preauth-security-misc
+usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared => /usr/share/pam-configs/mkhomedir-security-misc
+usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared => /usr/share/pam-configs/pam-abort-on-locked-password-security-misc
+usr/share/pam-configs/umask-security-misc#security-misc-shared => /usr/share/pam-configs/umask-security-misc
+usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared => /usr/share/pam-configs/unix-faillock-security-misc
+usr/share/pam-configs/wheel-security-misc#security-misc-shared => /usr/share/pam-configs/wheel-security-misc
+usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared => /usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc
+usr/share/security-misc/dolphinrc#security-misc-shared => /usr/share/security-misc/dolphinrc
+usr/share/security-misc/emerg-shutdown-initramfs.service#security-misc-shared => /usr/share/security-misc/emerg-shutdown-initramfs.service
+usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared => /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
+usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared => /usr/share/security-misc/lkrg/lkrg-virtualbox
+usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded#security-misc-shared => /usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded
+usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded#security-misc-shared => /usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded
+usr/share/security-misc/security-misc-memlockd.cfg#security-misc-shared => /usr/share/security-misc/security-misc-memlockd.cfg
+usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c
+var/cache/security-misc/state-files/placeholder#security-misc-shared => /var/cache/security-misc/state-files/placeholder

debian/security-misc-shared.links

@@ -0,0 +1,5 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh
+/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc

debian/security-misc-shared.maintscript

@@ -0,0 +1,111 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+rm_conffile /etc/sudoers.d/umask-security-misc
+
+## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
+rm_conffile /etc/sysctl.d/sysrq.conf
+
+## https://github.com/Kicksecure/security-misc/pull/45
+rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
+rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown
+
+## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf
+rm_conffile /etc/sysctl.d/fs_protected.conf
+rm_conffile /etc/sysctl.d/kptr_restrict.conf
+rm_conffile /etc/sysctl.d/suid_dumpable.conf
+rm_conffile /etc/sysctl.d/harden_bpf.conf
+rm_conffile /etc/sysctl.d/ptrace_scope.conf
+rm_conffile /etc/sysctl.d/tcp_timestamps.conf
+rm_conffile /etc/sysctl.d/mmap_aslr.conf
+rm_conffile /etc/sysctl.d/dmesg_restrict.conf
+rm_conffile /etc/sysctl.d/coredumps.conf
+rm_conffile /etc/sysctl.d/kexec.conf
+rm_conffile /etc/sysctl.d/tcp_hardening.conf
+rm_conffile /etc/sysctl.d/tcp_sack.conf
+
+## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf
+rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
+rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
+rm_conffile /etc/modprobe.d/vivid.conf
+rm_conffile /etc/modprobe.d/blacklist-dma.conf
+rm_conffile /etc/modprobe.d/msr.conf
+rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf
+rm_conffile /etc/modprobe.d/30_security-misc.conf
+
+## renamed to /etc/security/limits.d/30_security-misc.conf
+rm_conffile /etc/security/limits.d/disable-coredumps.conf
+
+## moved to separate package ram-wipe
+rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg
+
+rm_conffile /etc/X11/Xsession.d/50panic_on_oops
+rm_conffile /etc/X11/Xsession.d/50security-misc
+
+## moved to /usr/lib/sysctl.d
+rm_conffile /etc/sysctl.d/30_security-misc.conf
+rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
+rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf
+
+## moved to /etc/permission-hardener.d
+rm_conffile /etc/permission-hardening.d/25_default_passwd.conf
+rm_conffile /etc/permission-hardening.d/25_default_sudo.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
+rm_conffile /etc/permission-hardening.d/30_default.conf
+
+## moved to /usr/lib/permission-hardener.d
+rm_conffile /etc/permission-hardener.d/25_default_passwd.conf
+rm_conffile /etc/permission-hardener.d/25_default_sudo.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf
+rm_conffile /etc/permission-hardener.d/30_default.conf
+
+## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg
+rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg
+rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg
+rm_conffile /etc/default/grub.d/40_enable_iommu.cfg
+
+## renamed to /etc/default/grub.d/40_remount_secure.cfg
+rm_conffile /etc/default/grub.d/40_remmount-secure.cfg
+
+## renamed to /etc/default/grub.d/40_signed_modules.cfg
+rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
+
+## renamed to /etc/default/grub.d/41_quiet_boot.cfg
+rm_conffile /etc/default/grub.d/41_quiet.cfg
+
+## moved to usability-misc
+rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf
+
+## renamed to reflect the fact that this uses a whitelist
+rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf

debian/security-misc-shared.postinst

@@ -0,0 +1,212 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
+fi
+
+## Required since this package uses debconf - this is mandatory even though
+## the postinst itself does not use debconf commands.
+source /usr/share/debconf/confmodule
+
+set -e
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
+#####################################################################
+"
+
+permission_hardening_legacy_config_folder() {
+    if ! test -d /etc/permission-hardening.d ; then
+        return 0
+    fi
+    rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true
+}
+
+permission_hardening() {
+    echo "Running SUID Disabler and Permission Hardener... See also:"
+    echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
+    echo "$0: INFO: running: permission-hardener enable"
+    if ! permission-hardener enable ; then
+        echo "$0: ERROR: Permission hardening failed." >&2
+        return 0
+    fi
+    echo "$0: INFO: Permission hardening success."
+}
+
+fix_pkexec_remembered_permissions() {
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+      return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   if ! [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then
+      ## 'statoverride' file does not exist yet. Therefore no need to fix it using 'str_replace'.
+      touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+      return 0
+   fi
+
+   ## The existing_mode database may incorrectly list the original permissions
+   ## of pkexec as '755'. They should be '4755'. Fix this with str_replace. If
+   ## this issue is not present, str_replace will do nothing.
+   str_replace 'root root 755 /usr/bin/pkexec' \
+      'root root 4755 /usr/bin/pkexec' \
+      /var/lib/permission-hardener-v2/existing_mode/statoverride
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
+install_permission_hardener_base_state() {
+   local state_str
+
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+      return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   if [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then
+      ## 'statoverride' file already exists. Therefore no need to pre-populate it.
+      touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+      return 0
+   fi
+
+   mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode'
+   state_str="root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/newgidmap
+root root 644 /etc/issue.kicksecure
+root root 4755 /usr/bin/pkexec
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 644 /etc/motd
+root root 4755 /usr/bin/newuidmap
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/lib/openssh/ssh-keysign
+root root 4755 /usr/bin/ntfs-3g
+root root 4755 /usr/bin/chsh
+root root 644 /etc/motd.kicksecure
+root root 755 /usr/bin/su-to-root
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 4755 /usr/bin/sudo
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 644 /etc/issue
+root root 755 /etc/cron.d"
+
+   printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
+case "$1" in
+    configure)
+        if [ -d /etc/skel/.gnupg ]; then
+            ## Lintian warns against use of chmod --recursive.
+            chmod 700 /etc/skel/.gnupg
+        fi
+
+        ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
+        glib-compile-schemas /usr/share/glib-2.0/schemas || true
+
+        ## state dir for PAM 'faillock'
+        mkdir -p /var/lib/security-misc/faillock
+
+        ## Fix pkexec remembered permissions if necessary.
+        fix_pkexec_remembered_permissions
+
+        ## Pre-populate permission-hardener state on first postinst run.
+        ## Necessary because the first permission-hardener run may occur
+        ## before all permissions are set properly by package postinst
+        ## scripts. In particular, pkexec is not SUID-root until after its
+        ## postinst runs.
+        install_permission_hardener_base_state
+
+        ## Fix usbguard config permissions, this seemingly can't be done
+        ## during the unpack stage
+        usbguard_config_file_list=(
+          '/etc/usbguard/rules.d/30_security-misc.conf'
+          '/etc/usbguard/usbguard-daemon.conf.security-misc'
+          '/etc/usbguard/IPCAccessControl.d/:sudo'
+          '/etc/usbguard/IPCAccessControl.d/:qubes'
+        )
+        for usbguard_config_file in "${usbguard_config_file_list[@]}"; do
+          if test -f "${usbguard_config_file}"; then
+            chmod 0600 "${usbguard_config_file}"
+          fi
+        done
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    triggered)
+      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
+      /usr/share/security-misc/lkrg/lkrg-virtualbox || true
+      /usr/libexec/security-misc/mmap-rnd-bits || true
+      permission_hardening
+      exit 0
+    ;;
+
+    *)
+        echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+pam-auth-update --package
+
+/usr/libexec/security-misc/permission-lockdown
+
+permission_hardening
+
+## https://phabricator.whonix.org/T377
+## Debian has no update-grub trigger yet:
+## https://bugs.debian.org/481542
+if command -v update-grub >/dev/null 2>&1; then
+   update-grub || \
+      echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \
+'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \
+likely only the trigger, not the cause. Unless you know this is not an issue, \
+you should fix running 'update-grub', otherwise your system might no longer \
+boot." >&2
+fi
+
+/usr/libexec/security-misc/mmap-rnd-bits || true
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+permission_hardening_legacy_config_folder
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0

debian/security-misc-shared.postrm

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
@@ -18,6 +18,8 @@ true "
 ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
 pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
 
+rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf
+
 true "INFO: debhelper beginning here."
 
 #DEBHELPER#

debian/security-misc-shared.preinst

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
@@ -20,9 +20,20 @@ user_groups_modifications() {
    addgroup --system sysfs
    addgroup --system cpuinfo
 
+   ## /usr/lib/systemd/system/proc-hidepid.service
+   addgroup --system proc
+
+   ## Avoid 'debian/control' file 'Depends:' 'sudo'.
+   ##
+   ## Could use '/usr/libexec/helper-scripts/user_create.bsh' in preinst? Looks more complex. Avoided.
+   ## group 'sudo' is not a system group.
+   #addgroup --system sudo
+   ## Function 'is_group' is complex. Hence, use '2>/dev/null || true'.
+   addgroup sudo 2>/dev/null || true
+
    ## group 'sudo' membership required to use 'su'
    ## /usr/share/pam-configs/wheel-security-misc
-   addgroup root sudo
+   adduser root sudo
 
    ## Useful to create groups in preinst rather than postinst.
    ## Otherwise if a user saw an error message such as this:
@@ -44,15 +55,15 @@ user_groups_modifications() {
    ## an "empty" /etc/securetty.
    ## In case a system administrator edits /etc/securetty, there is no need to
    ## block for this to be still blocked by console lockdown. See also:
-   ## https://www.whonix.org/wiki/Root#Root_Login
-   addgroup root console
+   ## https://www.kicksecure.com/wiki/Root#Root_Login
+   adduser root console
 }
 
 output_skip_checks() {
-   echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2
-   echo "security-misc '$0' INFO: (technical reason: $@)" >&2
-   echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2
-   echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2
+   echo "security-misc-shared '$0' INFO: Allow installation of security-misc-shared anyway." >&2
+   echo "security-misc-shared '$0' INFO: (technical reason: $@)" >&2
+   echo "security-misc-shared '$0' INFO: If this is a chroot this is probably OK." >&2
+   echo "security-misc-shared '$0' INFO: Otherwise you might not be able to login." >&2
 }
 
 sudo_users_check () {
@@ -93,14 +104,15 @@ sudo_users_check () {
 
    ## Prevent users from locking themselves out.
    ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
-   echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2
+   echo "$0: ERROR: No account is a member of group 'sudo'. Installation aborted." >&2
    echo "$0: ERROR: You probably want to run:" >&2
+   echo "$0: NOTE: Replace account 'user' with your actual Linux user account name." >&2
    echo "" >&2
    echo "sudo adduser user sudo" >&2
    echo "sudo adduser user console" >&2
    echo "" >&2
    echo "$0: ERROR: See also installation instructions:" >&2
-   echo "https://www.whonix.org/wiki/security-misc#install" >&2
+   echo "https://www.kicksecure.com/wiki/security-misc#install" >&2
 
    if [ "$SECURITY_MISC_INSTALL" = "force" ]; then
       output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'."
@@ -142,7 +154,7 @@ console_users_check() {
    for user_with_console in $console_users $console_unrestricted_users ; do
       if [ "$user_with_console" = "root" ]; then
          ## root login is also restricted.
-         ## Therefore user "root" being member of group "console" is
+         ## Therefore account "root" being member of group "console" is
          ## considered insufficient.
          continue
       fi
@@ -159,7 +171,7 @@ console_users_check() {
       return 0
    fi
 
-   echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2
+   echo "$0: ERROR: No account is a member of group 'console'. Installation aborted." >&2
    echo "$0: ERROR: You probably want to run:" >&2
    echo "" >&2
    echo "sudo adduser user console" >&2
@@ -209,11 +221,11 @@ legacy() {
    user_to_be_created=user
 
    if ! id "$user_to_be_created" &>/dev/null ; then
-      true "INFO: user '$user_to_be_created' does not exist. Skipping addgroup console and pam-auth-update."
+      true "INFO: Account '$user_to_be_created' does not exist. Skipping adding account '$user_to_be_created' to group 'console' and also skipping 'pam-auth-update --enable console-lockdown-security-misc'."
       return 0
    fi
 
-   addgroup "$user_to_be_created" console
+   adduser "$user_to_be_created" console
 
    pam-auth-update --enable console-lockdown-security-misc
 

debian/security-misc-shared.prerm

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then

debian/security-misc-shared.templates

@@ -0,0 +1,9 @@
+Template: security-misc-shared/alert-on-permission-hardener-v2-upgrade
+Type: note
+_Description: Manual intervention may be required for permission-hardener update
+ No need to panic. Nothing is broken. A rare condition has been encountered.
+ permission-hardener is being updated to fix a minor bug that caused
+ corruption in the permission-hardener state file. If you installed your own
+ custom permission-hardener configuration, some manual intervention may be
+ required. See:
+ https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files

debian/security-misc-shared.triggers

@@ -0,0 +1,16 @@
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## use noawait
+## https://github.com/Kicksecure/security-misc/issues/196
+
+## Trigger permission hardener when new binaries are being installed.
+interest-noawait /usr
+interest-noawait /opt
+
+## Trigger permission hardener when new configuration files are being installed.
+interest-noawait /usr/lib/permission-hardener.d
+interest-noawait /etc/permission-hardener.d
+interest-noawait /usr/local/etc/permission-hardener.d
+interest-noawait /etc/permission-hardening.d
+interest-noawait /usr/local/etc/permission-hardening.d

debian/security-misc-shared.undisplace

@@ -0,0 +1,6 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+/etc/login.defs.security-misc
+/usr/bin/pkexec.security-misc
+/etc/dkms/framework.conf.security-misc

debian/security-misc.displace

@@ -1,6 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-/etc/securetty.security-misc
-/etc/security/faillock.conf.security-misc
-/etc/dkms/framework.conf.security-misc

debian/security-misc.gconf-defaults

@@ -1,3 +0,0 @@
-/apps/nautilus/preview_sound never
-/apps/nautilus/show_icon_text never
-/apps/nautilus/show-image-thumbnails never

debian/security-misc.install

@@ -1,9 +0,0 @@
-## Copyright (C) 2020 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## This file was generated using genmkfile 'make debinstfile'.
-
-etc/*
-lib/*
-usr/*
-var/*

debian/security-misc.maintscript

@@ -1,39 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-rm_conffile /etc/sudoers.d/umask-security-misc
-
-## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
-rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
-
-## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
-rm_conffile /etc/sysctl.d/sysrq.conf
-
-## https://github.com/Whonix/security-misc/pull/45
-rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
-rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown
-
-## merged into 1 file /etc/sysctl.d/30_security-misc.conf
-rm_conffile /etc/sysctl.d/fs_protected.conf
-rm_conffile /etc/sysctl.d/kptr_restrict.conf
-rm_conffile /etc/sysctl.d/suid_dumpable.conf
-rm_conffile /etc/sysctl.d/harden_bpf.conf
-rm_conffile /etc/sysctl.d/ptrace_scope.conf
-rm_conffile /etc/sysctl.d/tcp_timestamps.conf
-rm_conffile /etc/sysctl.d/mmap_aslr.conf
-rm_conffile /etc/sysctl.d/dmesg_restrict.conf
-rm_conffile /etc/sysctl.d/coredumps.conf
-rm_conffile /etc/sysctl.d/kexec.conf
-rm_conffile /etc/sysctl.d/tcp_hardening.conf
-rm_conffile /etc/sysctl.d/tcp_sack.conf
-
-## merged into 1 file /etc/modprobe.d/30_security-misc.conf
-rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
-rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
-rm_conffile /etc/modprobe.d/vivid.conf
-rm_conffile /etc/modprobe.d/blacklist-dma.conf
-rm_conffile /etc/modprobe.d/msr.conf
-rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf
-
-## renamed to /etc/security/limits.d/30_security-misc.conf
-rm_conffile /etc/security/limits.d/disable-coredumps.conf

debian/security-misc.postinst

@@ -1,73 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
-   source /usr/libexec/helper-scripts/pre.bsh
-fi
-
-set -e
-
-true "
-#####################################################################
-## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
-#####################################################################
-"
-
-case "$1" in
-    configure)
-        if [ -d /etc/skel/.gnupg ]; then
-            ## Lintian warns against use of chmod --recursive.
-            chmod 700 /etc/skel/.gnupg
-        fi
-
-        ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
-        glib-compile-schemas /usr/share/glib-2.0/schemas || true
-    ;;
-
-    abort-upgrade|abort-remove|abort-deconfigure)
-    ;;
-
-    triggered)
-      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
-      /usr/share/security-misc/lkrg/lkrg-virtualbox || true
-      exit 0
-    ;;
-
-    *)
-        echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-pam-auth-update --package
-
-/usr/libexec/security-misc/permission-lockdown
-
-## https://phabricator.whonix.org/T377
-## Debian has no update-grub trigger yet:
-## https://bugs.debian.org/481542
-if command -v update-grub >/dev/null 2>&1; then
-   update-grub || \
-      echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \
-'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \
-likely only the trigger, not the cause. Unless you know this is not an issue, \
-you should fix running 'update-grub', otherwise your system might no longer \
-boot." >&2
-fi
-
-true "INFO: debhelper beginning here."
-
-#DEBHELPER#
-
-true "INFO: Done with debhelper."
-
-true "
-#####################################################################
-## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
-#####################################################################
-"
-
-## Explicitly "exit 0", so eventually trapped errors can be ignored.
-exit 0

debian/security-misc.triggers

@@ -1,15 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-#### meta start
-#### project Whonix
-#### category security
-#### description
-
-## Activate initramfs hook that sets the sysctl values before init is executed.
-activate-noawait update-initramfs
-
-## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox
-interest-noawait /usr/bin/vboxmanage
-
-#### meta end

debian/security-misc.undisplace

@@ -1,5 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-/etc/login.defs.security-misc
-/usr/bin/pkexec.security-misc

debian/source/lintian-overrides

@@ -1,2 +1,2 @@
 ## https://phabricator.whonix.org/T277
-debian-watch-does-not-check-gpg-signature
+debian-watch-does-not-check-openpgp-signature

debian/watch

@@ -1,6 +1,6 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 version=4
 opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/security-misc-$1\.tar\.gz/ \
-  https://github.com/Whonix/security-misc/tags .*/v?(\d\S+)\.tar\.gz
+  https://github.com/Kicksecure/security-misc/tags .*/v?(\d\S+)\.tar\.gz

etc/X11/Xsession.d/50panic_on_oops

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-if [ -x /usr/libexec/security-misc/panic-on-oops ]; then
-   sudo --non-interactive /usr/libexec/security-misc/panic-on-oops
-fi

etc/X11/Xsession.d/50security-misc

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-if [ -z "$XDG_CONFIG_DIRS" ]; then
-   XDG_CONFIG_DIRS=/etc/xdg
-fi
-export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS

etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared

@@ -1,7 +1,7 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc,
+alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc,
 alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc,
 alias /etc/login.defs -> /etc/login.defs.security-misc,
 alias /etc/securetty -> /etc/securetty.security-misc,

etc/apt/apt.conf.d/40error-on-any#security-misc-shared

@@ -1,4 +1,4 @@
-## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Make "sudo apt-get update" exit non-zero for transient failures.

etc/apt/apt.conf.d/40sandbox#security-misc-shared

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702

etc/bluetooth/30_security-misc.conf#security-misc-desktop

@@ -0,0 +1,28 @@
+## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[General]
+# How long to stay in pairable mode before going back to non-discoverable
+# The value is in seconds. Default is 0.
+# 0 = disable timer, i.e. stay pairable forever
+PairableTimeout = 30
+
+# How long to stay in discoverable mode before going back to non-discoverable
+# The value is in seconds. Default is 180, i.e. 3 minutes.
+# 0 = disable timer, i.e. stay discoverable forever
+DiscoverableTimeout = 30
+
+# Maximum number of controllers allowed to be exposed to the system.
+# Default=0 (unlimited)
+MaxControllers=1
+
+[Policy]
+# AutoEnable defines option to enable all controllers when they are found.
+# This includes adapters present on start as well as adapters that are plugged
+# in later on. Defaults to 'true'.
+AutoEnable=false
+
+# network/on: A device will only accept advertising packets from peer
+# devices that contain private addresses. It may not be compatible with some
+# legacy devices since it requires the use of RPA(s) all the time.
+Privacy=network/on

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,42 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Enables all mitigations for CPU vulnerabilities.
-##
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
-
-## Enable all mitigations for Spectre Variant 2.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
-
-## Disable Speculative Store Bypass.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
-
-## Disable TSX, enable all mitigations for the TSX Async Abort
-## vulnerability and disable SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
-
-## Enable all mitigations for the MDS vulnerability and disable
-## SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
-
-## Enable all mitigations for the L1TF vulnerability and disable SMT
-## and L1D flush runtime control.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
-
-## Force disable SMT as it has caused numerous CPU vulnerabilities.
-##
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
-
-## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"

etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared

@@ -0,0 +1,231 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Enable known mitigations for CPU vulnerabilities.
+## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link.
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
+## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
+
+## Check for potential updates directly from AMD and Intel.
+## https://www.amd.com/en/resources/product-security.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
+
+## Tabular comparison between the utility and functionality of various mitigations.
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587
+
+## For complete protection, users must install the latest relevant security microcode update.
+## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
+## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
+## The parameters below only provide (partial) protection at both the kernel and user space level.
+
+## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date.
+## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
+## If using compatible hardware, the database can be updated directly in user space using fwupd.
+## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
+## https://github.com/microsoft/secureboot_objects
+## https://uefi.org/revocationlistfile
+## https://github.com/fwupd/fwupd
+
+## Enable a subset of known default mitigations for some CPU vulnerabilities and disable SMT.
+## Note that this redundant parameter simply applies each mitigation at the already applied default settings.
+## The default values are not always the strictest and so we reapply each below to their highest setting.
+## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations.
+##
+## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
+## https://github.com/secureblue/secureblue/issues/1405
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
+##
+## KSPP=yes
+## KSPP sets the kernel parameters.
+##
+## WARNING: Do not rely on this parameter, it is presented here only for educational purposes.
+## WARNING: Parameters are applied consecutively and so do not ever move this setting down.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
+
+## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
+## The only full mitigation of cross-HT attacks is to disable SMT.
+## Disabling will significantly decrease system performance on multi-threaded tasks.
+## Note, this setting will prevent re-enabling SMT via the sysfs interface.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
+##
+## KSPP=yes
+## KSPP sets the kernel parameter.
+##
+## To re-enable SMT:
+## - Remove "nosmt=force".
+## - Remove all occurrences of ",nosmt" in this file (note the comma ",").
+## - Downgrade "l1tf=full,force" protection to "l1tf=flush".
+## - Regenerate the dracut initramfs and then reboot system.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
+## Spectre Side Channels (BTI and BHI):
+## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection).
+## Enable mitigation for the Intel branch history injection vulnerability.
+## Currently affects both AMD and Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
+
+## Meltdown:
+## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
+## Force enable PTI of user and kernel address spaces on all cores.
+## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
+## Currently affects ARM64 CPUs.
+##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
+## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
+##
+## KSPP=yes
+## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
+
+## Speculative Store Bypass (SSB):
+## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
+## Unconditionally enable the mitigation for both kernel and userspace.
+## Currently affects AMD, ARM64, and Intel CPUs.
+##
+## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
+## https://www.suse.com/support/kb/doc/?id=000019189
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
+
+## L1 Terminal Fault (L1TF):
+## Mitigate the vulnerability by disabling L1D flush runtime control and SMT.
+## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
+
+## Microarchitectural Data Sampling (MDS):
+## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+
+## TSX Asynchronous Abort (TAA):
+## Mitigate the vulnerability by disabling TSX.
+## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
+
+## iTLB Multihit:
+## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
+
+## Special Register Buffer Data Sampling (SRBDS):
+## Mitigation of the vulnerability is only possible via microcode update from Intel.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
+## https://access.redhat.com/solutions/5142691
+
+## L1D Flushing:
+## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
+
+## Processor MMIO Stale Data:
+## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
+
+## Arbitrary Speculative Code Execution with Return Instructions (Retbleed):
+## Mitigate the vulnerability through CPU-dependent implementation and disable SMT.
+## Currently affects both AMD Zen 1-2 and Intel CPUs.
+##
+## https://en.wikipedia.org/wiki/Retbleed
+## https://comsec.ethz.ch/research/microarch/retbleed/
+## https://www.suse.com/support/kb/doc/?id=000020693
+## https://access.redhat.com/solutions/retbleed
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
+
+## Cross-Thread Return Address Predictions:
+## Mitigate the vulnerability for certain KVM hypervisor configurations.
+## Currently affects AMD Zen 1-2 CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
+
+## Speculative Return Stack Overflow (SRSO):
+## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location.
+## Currently affects AMD Zen 1-4 CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
+##
+## The default kernel setting will be utilized until provided sufficient evidence to modify.
+## Using "spec_rstack_overflow=ibpb" may provide superior protection to the default software-based approach.
+## The use of hardware barriers may be more effective while possibly incurring a greater performance loss.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
+
+## Gather Data Sampling (GDS):
+## Mitigate the vulnerability either via microcode update or by disabling AVX.
+## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
+
+## Register File Data Sampling (RFDS):
+## Mitigate the vulnerability by appropriately clearing the CPU buffer.
+## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures).
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
+
+## Indirect Target Selection (ITS):
+## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"
+
+## VMScape:
+## Mitigate the vulnerability by flushing branch predictors before returning to userspace when exiting guests.
+## Comprehensive protection may also require disabling SMT to limit cross-thread attacks.
+## Currently affects both AMD and Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vmscape=force"

etc/default/grub.d/40_distrust_cpu.cfg

@@ -1,11 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Distrusts the CPU for initial entropy at boot as it is not possible to
-## audit, may contain weaknesses or a backdoor.
-##
-## https://en.wikipedia.org/wiki/RDRAND#Reception
-## https://twitter.com/pid_eins/status/1149649806056280069
-## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
-## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"

etc/default/grub.d/40_enable_iommu.cfg

@@ -1,12 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Enables IOMMU to prevent DMA attacks.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
-
-## Disable the busmaster bit on all PCI bridges during very
-## early boot to avoid holes in IOMMU.
-##
-## https://mjg59.dreamwidth.org/54433.html
-## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"

etc/default/grub.d/40_kernel_hardening.cfg

@@ -1,73 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-kpkg="linux-image-$(dpkg --print-architecture)" || true
-kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
-#echo "## kver: $kver"
-
-## Disables the merging of slabs of similar sizes.
-## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
-
-if dpkg --compare-versions "$kver" ge "5.3"; then
-  ## Enables sanity checks (F) and redzoning (Z).
-  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
-
-  #echo "## $kver grater or equal 5.3: yes"
-  ## Zero memory at allocation and free time.
-  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
-else
-  #echo "## $kver grater or equal 5.3: no"
-  ## SLUB poisoning and page poisoning is used if the kernel
-  ## does not yet support init_on_{,alloc,free}.
-  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
-
-  if command -v "qubesdb-read" >/dev/null 2>&1 ; then
-     ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
-     true "skip adding page_poison=1 in Qubes"
-  else
-     GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
-  fi
-fi
-
-## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
-
-## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
-
-## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
-
-## Enables page allocator freelist randomization.
-if dpkg --compare-versions "${kver}" ge "5.2"; then
-  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
-fi
-
-## Enables kernel lockdown.
-##
-## Disabled for now as it enforces module signature verification which breaks
-## too many things.
-## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
-##
-#if dpkg --compare-versions "${kver}" ge "5.4"; then
-#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
-#fi
-
-## Gather more entropy during boot.
-##
-## Requires linux-hardened kernel patch.
-## https://github.com/anthraxx/linux-hardened
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
-
-## Prevent kernel info leaks in console during boot.
-## https://phabricator.whonix.org/T950
-## LANG=C str_replace is provided by package helper-scripts.
-## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
-GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0"
-
-## Restrict access to debugfs since it can contain a lot of sensitive information.
-## https://lkml.org/lkml/2020/7/16/122
-## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -0,0 +1,440 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+kpkg="linux-image-$(dpkg --print-architecture)" || true
+kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
+#echo "## kver: $kver"
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## This configuration file is split into 4 sections:
+## 1. Kernel Space
+## 2. Direct Memory Access
+## 3. Entropy
+## 4. Networking
+
+## See the documentation below for details on the majority of the selected commands:
+## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
+
+## 1. Kernel Space:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
+## https://kspp.github.io/Recommended_Settings#kernel-command-line-options
+
+## Disable merging of slabs with similar size.
+## Reduces the risk of triggering heap overflows.
+## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
+##
+## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
+## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
+
+## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption.
+## Sanity checks force additional verification steps on every memory allocation and free operation.
+## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries.
+## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled.
+## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root.
+## Introduces a noticeable performance overhead during all memory allocation and deallocation operations.
+##
+## https://www.kernel.org/doc/html/latest/mm/slub.html
+## https://www.kernel.org/doc/Documentation/vm/slub.txt
+## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
+## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2
+## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
+## https://github.com/Kicksecure/security-misc/issues/253
+##
+## KSPP=partial
+## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG.
+##
+## TODO: Debian forky / 14
+## The first parameter is applicable when using Linux kernel >= 6.17 (retained here for future-proofing and completeness).
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX hash_pointers=always"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
+
+## Zero memory at allocation time and free time.
+## Fills newly allocated pages, freed pages, and heap objects with zeros.
+## Mitigates use-after-free exploits by erasing sensitive information in memory.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
+##
+## KSPP=yes
+## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
+
+## Enable the kernel page allocator to randomize free lists.
+## During early boot, the page allocator has predictable FIFO behavior for physical pages.
+## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
+## Also improves performance by optimizing memory-side cache utilization.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
+## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
+
+## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
+## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
+## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
+##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
+## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
+
+## Enable randomization of the kernel stack offset on syscall entries.
+## Hardens against memory corruption attacks due to increased entropy.
+## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
+##
+## https://lkml.org/lkml/2019/3/18/246
+## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
+
+## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
+## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
+##
+## https://lwn.net/Articles/446528/
+## https://en.wikipedia.org/wiki/VDSO
+##
+## KSPP=yes
+## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
+
+## Restrict access to debugfs by not registering the file system.
+## Deactivated since the file system can contain sensitive information.
+##
+## https://lkml.org/lkml/2020/7/16/122
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
+
+## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path.
+## Panics may be due to false-positives such as bad drivers.
+## Both allowed limits are set to one so that panics occur on the single first instance of either scenario.
+## Oopses are serious but non-fatal errors.
+## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
+## Warnings are messages generated by the kernel to indicate unexpected conditions or errors.
+## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON().
+## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks.
+##
+## https://en.wikipedia.org/wiki/Kernel_panic#Linux
+## https://en.wikipedia.org/wiki/Linux_kernel_oops
+## https://lwn.net/Articles/876209/
+## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
+## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
+##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_ON_OOPS=y.
+##
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1"
+
+## Force immediate system reboots on the occurrence of a single kernel panic.
+## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
+## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
+##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_TIMEOUT=-1.
+##
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1"
+
+## Force the kernel to immediately panic if it becomes tainted.
+## Using kernel documentation, one can select a subset of taints to create a security policy.
+## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask.
+## Some example combinations are shown below.
+## S - Panic on using out of specification hardware: 4 = 0x4.
+## B - On the above and bad page faults or some unexpected page flags: 36 = 0x24.
+## A - On the above and ACPI tables are overridden by users: 292 = 0x124.
+## I - On the above and severe firmware bugs: 2340 = 0x924.
+## N - On the above and in-kernel tests have been run: 264484 = 0x40924.
+## J - On the above and userspace has used a mutating debug operation in fwctl: 788772 = 0xC0924.
+## G/P, O - On the above and the loading of proprietary or out-of-tree modules: 792869 = 0xC1925.
+## All must first be tested to ensure there are no pre-existing issues on user hardware.
+## After confirming stability this reduces attack surface.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
+## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US
+## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/
+## https://github.com/Kicksecure/security-misc/pull/339
+##
+## Note that this must be used with panic=-1 for it to function as intended.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0924"
+
+## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
+##
+## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://wiki.archlinux.org/title/silent_boot
+##
+## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
+## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
+## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
+## Aims to have very low processing overhead at each sampling interval.
+## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
+##
+## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+## https://google.github.io/kernel-sanitizers/KFENCE.html
+## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
+## https://lwn.net/Articles/835542/
+##
+## KSPP=yes
+## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
+
+## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
+## Legacy compatibility feature for superseded glibc versions.
+##
+## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
+## https://lists.openwall.net/linux-kernel/2014/03/11/3
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
+##
+## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
+
+## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
+## The default implementation is FineIBT as of Linux kernel 6.2.
+## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
+## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
+## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
+## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
+## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
+##
+## https://lwn.net/Articles/891976/
+## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
+## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
+## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
+## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://docs.kernel.org/next/x86/shstk.html
+## https://source.android.com/docs/security/test/kcfi
+## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
+##
+## KSPP=yes
+## KSPP sets the kernel parameter.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
+
+## Disable support for all 32-bit x86 processes and syscalls.
+## Unconditionally disables IA32 emulation to substantially reduce attack surface.
+##
+## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
+##
+## KSPP=yes
+## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
+
+## Disable EFI persistent storage feature.
+## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
+## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
+## Both the UEFI variable storage and ACPI ERST backends are deactivated.
+##
+## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
+## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
+## https://lwn.net/Articles/434821/
+## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html
+## https://gitlab.tails.boum.org/tails/tails/-/issues/20813
+## https://github.com/Kicksecure/security-misc/issues/299
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
+
+## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
+## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
+## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
+## SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits.
+## SEV-SNP (Secure Nested Paging) extends SEV by activating hardware-level memory integrity.
+## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
+## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
+## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
+## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI.
+## May cause boot failure on certain hardware with incompatible DMA masks especially if IOMMU is disabled.
+##
+## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html
+## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html
+## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper
+## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more
+## https://github.com/AMDESE/AMDSEV
+## https://en.wikichip.org/wiki/x86/sme
+## https://lore.kernel.org/all/YWRgN63FOrQGO8jS@zn.tnic/
+## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84
+## https://mricher.fr/post/amd-memory-encryption/
+## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD
+## https://github.com/secureblue/secureblue/pull/1631#issuecomment-3655501478
+## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_snp=1"
+
+## Prevent processes from writing to block devices that are mounted by filesystems.
+## Enhances system stability and security by protecting against runaway privileged processes.
+## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes.
+## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access.
+## May lead to breakages in certain limited scenarios.
+##
+## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e
+## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/
+## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0"
+
+## Restrict processes from modifying their own memory mappings.
+## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's
+## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into
+## overwriting their own memory.
+##
+## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/
+## https://lwn.net/Articles/983169/
+## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201
+## https://github.com/Kicksecure/security-misc/issues/330
+##
+## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace"
+
+## 2. Direct Memory Access:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
+
+## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
+##
+## KSPP=yes
+## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
+
+## Enable and force use of IOMMU translation to protect against some DMA attacks.
+## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
+## Ensures devices will never be able to access stale data contents.
+##
+## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
+## https://en.wikipedia.org/wiki/DMA_attack
+## https://lenovopress.lenovo.com/lp1467.pdf
+##
+## KSPP=yes
+## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
+
+## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
+## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
+## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
+## Assumes that the motherboard chipset and firmware are not malicious.
+## May cause complete boot failure on certain hardware with incompatible firmware.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
+## https://mjg59.dreamwidth.org/54433.html
+##
+## KSPP=yes
+## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
+
+## 3. Entropy:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
+
+## Do not credit the CPU seeds as an entropy sources at boot.
+## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source.
+## Numerous implementations of RDRAND and RDSEED have a long history of being defective.
+## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
+## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG.
+## Note that distrusting this (relatively fast) source of entropy will increase boot time.
+##
+## https://en.wikipedia.org/wiki/RDRAND
+## https://systemd.io/RANDOM_SEEDS/
+## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
+## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
+## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
+## https://lkml.org/lkml/2022/6/5/271
+## https://lwn.net/Articles/961121/
+## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/
+## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html
+##
+## KSPP=yes
+## KSPP sets CONFIG_RANDOM_TRUST_CPU=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
+
+## Do not credit the bootloader seeds as an entropy source at boot.
+## The RNG seed passed by the bootloader could potentially be tampered.
+## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
+## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG.
+## Note that distrusting this (relatively fast) source of entropy will increase boot time.
+##
+## https://systemd.io/RANDOM_SEEDS/
+## https://github.com/NixOS/nixpkgs/pull/165355
+## https://lkml.org/lkml/2022/6/5/271
+##
+## KSPP=yes
+## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
+
+## Obtain more entropy during boot as the runtime memory allocator is being initialized.
+## Entropy will be extracted from up to the first 4GB of RAM as another source.
+## Note that entropy extracted this way is not cryptographically secure and so is not credited.
+## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
+## This will increase boot time due to interrupting the boot process.
+## Requires the linux-hardened kernel patch.
+##
+## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
+## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
+## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
+
+## 4. Networking
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
+
+## Disable the entire IPv6 stack functionality.
+## Removes attack surface associated with the IPv6 module.
+##
+## https://www.kernel.org/doc/html/latest/networking/ipv6.html
+## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
+##
+## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"

etc/default/grub.d/40_remount_secure.cfg#security-misc-shared

@@ -0,0 +1,31 @@
+## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Remount Secure provides enhanced security via mount options:
+## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
+
+## Option A (No Security):
+## Disable Remount Secure.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"
+
+## Option B (Low Security):
+## Re-mount with nodev and nosuid only.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
+
+## Option C (Medium Security):
+## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
+
+## Option D (Highest Security):
+## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

etc/default/grub.d/40_signed_modules.cfg#security-misc-shared

@@ -0,0 +1,37 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Require every kernel module to be signed before being loaded.
+## Any module that is unsigned or signed with an invalid key cannot be loaded.
+## This prevents all out-of-tree kernel modules unless signed.
+## This makes it harder to load a malicious module.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
+## https://github.com/dell/dkms/issues/359
+##
+## KSPP=yes
+## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y.
+##
+## Not enabled by default yet due to several issues.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
+
+## Enable kernel lockdown to enforce security boundary between user and kernel space.
+## Confidentiality mode enforces module signature verification.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
+##
+## KSPP=yes
+## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y.
+##
+## Not enabled by default yet due to several issues.
+##
+#if dpkg --compare-versions "${kver}" ge "5.4"; then
+#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
+#fi

etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared

@@ -0,0 +1,35 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Some default configuration files automatically include the "quiet" parameter.
+## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
+## str_replace is provided by package helper-scripts.
+##
+## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")"
+
+## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
+##
+## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://wiki.archlinux.org/title/silent_boot
+##
+## For easier debugging, these are not applied to the recovery boot option.
+## Switch the pair of commands to universally apply parameters to all boot options.
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0"
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
+## For Increased Log Verbosity:
+## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
+## Alternatively, installing the debug-misc package will undo these settings.

etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared

@@ -0,0 +1,24 @@
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Disable access to the GRUB single-user (recovery) mode menu entries.
+##
+## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
+##
+GRUB_DISABLE_RECOVERY="true"
+
+## Disable access to Dracut's recovery console.
+## Prevents the emergency shell from starting automatically during boot failures.
+##
+## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
+## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
+## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0"

etc/dkms/framework.conf.security-misc

@@ -1,64 +0,0 @@
-## This configuration file modifies the behavior of
-## DKMS (Dynamic Kernel Module Support) and is sourced
-## in by DKMS every time it is run.
-
-## Source Tree Location (default: /usr/src)
-# source_tree="/usr/src"
-
-## DKMS Tree Location (default: /var/lib/dkms)
-# dkms_tree="/var/lib/dkms"
-
-## Install Tree Location (default: /lib/modules)
-# install_tree="/lib/modules"
-
-## tmp Location (default: /tmp)
-# tmp_location="/tmp"
-
-## verbosity setting (verbose will be active if you set it to a non-null value)
-# verbose=""
-
-## symlink kernel modules (will be active if you set it to a non-null value)
-## This creates symlinks from the install_tree into the dkms_tree instead of
-## copying the modules. This preserves some space on the costs of being less
-## safe.
-# symlink_modules=""
-
-## Automatic installation and upgrade for all installed kernels (if set to a
-## non-null value)
-# autoinstall_all_kernels=""
-
-## Script to sign modules during build, script is called with kernel version
-## and module name
-# sign_tool="/etc/dkms/sign_helper.sh"
-
-### BEGIN modifications by package security-misc ###
-
-## original:
-## https://github.com/dell/dkms/blob/master/dkms_framework.conf
-
-## DKMS feature request:
-## add /etc/dkms/framework.conf.d configuration file drop-in folder
-## https://github.com/dell/dkms/issues/116
-
-## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing
-## of virtual machines.
-##
-## This does not necessarily belong into security-misc, however likely
-## security-misc will need to modify /etc/dkms/framework.conf in the future to
-## enable kernel module signing. See below.
-##
-## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
-ENOUGH_RAM="1950"
-total_ram="$(free -m | sed  -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')"
-if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then
-   true "INFO: Enough RAM available. Not lowering compilation cores."
-else
-   true "INFO: Not enough RAM available. Lowering compilation cores to 1."
-   parallel_jobs=1
-fi
-
-## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
-## https://github.com/dell/dkms/blob/master/sign_helper.sh
-#sign_tool="/etc/dkms/sign_helper.sh"
-
-### END modifications by package security-misc ###

etc/dracut.conf.d/30-security-misc.conf

@@ -1,4 +0,0 @@
-reproducible=yes
-
-## Debugging.
-show_modules=yes

etc/dracut.conf.d/30-security-misc.conf#security-misc-shared

@@ -0,0 +1,7 @@
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+reproducible=yes
+
+## Debugging.
+#show_modules=yes

etc/gitconfig#security-misc-shared

@@ -0,0 +1,38 @@
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Lines starting with a hash symbol ('#') are comments.
+## https://github.com/Kicksecure/security-misc/issues/225
+
+[core]
+## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
+	symlinks = false
+
+## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066
+[transfer]
+	fsckobjects = true
+[fetch]
+	fsckobjects = true
+[receive]
+	fsckobjects = true
+
+## Generally a good idea but too intrusive to enable by default.
+## Listed here as suggestions what users should put into their ~/.gitconfig
+## file.
+
+## Not enabled by default because it requires essential knowledge about OpenPG
+## and an already existing local signing key. Otherwise would prevent all new
+## commits.
+#[commit]
+#	gpgsign = true
+
+## Not enabled by default because it would break the 'git merge' command for
+## unsigned commits and require the '--no-verify-signature' command line
+## option.
+#[merge]
+#	verifySignatures = true
+
+## Not enabled by default because it would break for users who are not having
+## an account at the git server and having added a SSH public key.
+#[url "ssh://git@github.com/"]
+#	insteadOf = https://github.com/

etc/hide-hardware-info.d/30_default.conf#security-misc-shared

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## Disable the /sys whitelist.
@@ -7,6 +7,9 @@
 ## Disable the /proc/cpuinfo whitelist.
 #cpuinfo_whitelist=0
 
+## Disable /sys hardening.
+#sysfs=0
+
 ## Disable selinux mode.
-## https://www.whonix.org/wiki/Security-misc#selinux
+## https://www.kicksecure.com/wiki/Security-misc#selinux
 #selinux=0

etc/initramfs-tools/hooks/sysctl-initramfs

@@ -1,21 +0,0 @@
-#!/bin/sh
-
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-set -e
-
-PREREQ=""
-prereqs()
-{
-        echo "$PREREQ"
-}
-case $1 in
-prereqs)
-       prereqs
-       exit 0
-       ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-copy_exec /sbin/sysctl /sbin

etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs

@@ -1,26 +0,0 @@
-#!/bin/sh
-
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-PREREQ=""
-prereqs()
-{
-        echo "$PREREQ"
-}
-case $1 in
-prereqs)
-        prereqs
-        exit 0
-        ;;
-esac
-
-## Write to '/run/initramfs' folder.
-## https://forums.whonix.org/t/kernel-hardening/7296/435
-
-sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log"
-sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log"
-
-grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log"
-
-true

etc/kernel/postinst.d/30_remove-system-map#security-misc-shared

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 if test -x /usr/libexec/security-misc/remove-system.map ; then

etc/modprobe.d/30_security-misc.conf

@@ -1,60 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## https://phabricator.whonix.org/T486
-options nf_conntrack nf_conntrack_helper=0
-
-# Blacklists bluetooth to reduce attack surface.
-# Bluetooth also has a history of security vulnerabilities:
-#
-# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/false
-install btusb /bin/false
-
-# Blacklist thunderbolt and firewire to prevent some DMA attacks.
-install firewire-core /bin/false
-install thunderbolt /bin/false
-
-# Blacklist CPU MSRs as they can be abused to write to
-# arbitrary memory.
-install msr /bin/false
-
-# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
-#
-# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
-#
-# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
-#
-# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-#
-install dccp /bin/false
-install sctp /bin/false
-install rds /bin/false
-install tipc /bin/false
-install n-hdlc /bin/false
-install ax25 /bin/false
-install netrom /bin/false
-install x25 /bin/false
-install rose /bin/false
-install decnet /bin/false
-install econet /bin/false
-install af_802154 /bin/false
-install ipx /bin/false
-install appletalk /bin/false
-install psnap /bin/false
-install p8023 /bin/false
-install p8022 /bin/false
-install can /bin/false
-install atm /bin/false
-
-# Disable uncommon filesystems to reduce attack surface
-install cramfs /bin/false
-install udf /bin/false
-
-## Blacklists the vivid kernel module as it's only required for
-## testing and has been the cause of multiple vulnerabilities.
-##
-## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-## https://www.openwall.com/lists/oss-security/2019/11/02/1
-## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/false

etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared

@@ -0,0 +1,59 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## See the following links for a community discussion and overview regarding the selections.
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+## Blacklisting prevents kernel modules from automatically starting.
+## Disabling prohibits kernel modules from starting.
+
+## CD-ROM/DVD:
+## Blacklist CD-ROM and DVD modules.
+## Not disabled by default due to potential future ISO plans.
+## Can uncomment the bottom pair to disable both modules.
+##
+## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+##
+blacklist cdrom
+blacklist sr_mod
+#install cdrom /usr/bin/disabled-cdrom-by-security-misc
+#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
+
+## Miscellaneous:
+
+## GrapheneOS:
+## Partial selection of their infrastructure blacklist.
+## Duplicate and already disabled modules have been omitted.
+## Currently snd_intel8x0 is required by some users for VirtualBox audio device ICH AC97.
+##
+## https://github.com/GrapheneOS/infrastructure/tree/main/etc/modprobe.d
+## https://www.kicksecure.com/wiki/Dev/audio
+## https://github.com/Kicksecure/security-misc/issues/271
+##
+#blacklist cfg80211
+#blacklist intel_agp
+#blacklist ip_tables
+#blacklist mousedev
+#blacklist psmouse
+#blacklist snd_intel8x0
+#blacklist tls
+#blacklist virtio_balloon
+#blacklist virtio_console
+
+## Ubuntu:
+## Already disabled modules have been omitted.
+##
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+##
+blacklist amd76x_edac
+blacklist ath_pci
+blacklist evbug
+blacklist pcspkr
+blacklist snd_aw2
+blacklist snd_intel8x0m
+blacklist snd_pcsp
+blacklist usbkbd
+blacklist usbmouse

etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared

@@ -0,0 +1,13 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Conntrack:
+## Disable Netfilter's automatic connection tracking helper assignment.
+## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel.
+## Disabling it reduces the kernel attack surface and improves security.
+##
+## https://conntrack-tools.netfilter.org/manual.html
+## https://home.regit.org/netfilter-en/secure-use-of-helpers/
+## https://forums.whonix.org/t/disable-conntrack-helper/18917
+##
+options nf_conntrack nf_conntrack_helper=0

etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared

@@ -0,0 +1,356 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## See the following links for a community discussion and overview regarding the selections:
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+## Blacklisting prevents kernel modules from automatically starting.
+## Disabling prohibits kernel modules from starting.
+
+## This configuration file is split into 4 sections:
+## 1. Hardware
+## 2. File Systems
+## 3. Networking
+## 4. Miscellaneous
+
+## 1. Hardware:
+
+## Bluetooth:
+## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities.
+## Replaced with a privacy and security preserving default Bluetooth configuration for better usability.
+##
+## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+## https://github.com/Kicksecure/security-misc/pull/145
+##
+#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
+#install bluetooth_6lowpan  /usr/bin/disabled-bluetooth-by-security-misc
+#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc
+#install btbcm /usr/bin/disabled-bluetooth-by-security-misc
+#install btintel /usr/bin/disabled-bluetooth-by-security-misc
+#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc
+#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtk /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc
+#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc
+#install btqca /usr/bin/disabled-bluetooth-by-security-misc
+#install btrsi /usr/bin/disabled-bluetooth-by-security-misc
+#install btrtl /usr/bin/disabled-bluetooth-by-security-misc
+#install btsdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btusb /usr/bin/disabled-bluetooth-by-security-misc
+#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
+
+## CPU Model-Specific Registers (MSRs):
+## User-level read access to MSRs can allow malicious unprivileged applications to access other trust domains.
+## MSRs can also be abused to write to arbitrary memory.
+##
+## https://en.wikipedia.org/wiki/Model-specific_register
+## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/running-average-power-limit-energy-reporting.html
+## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
+## https://github.com/Kicksecure/security-misc/issues/215
+##
+#install intel_rapl_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install isst_if_mbox_msr /usr/bin/disabled-cpumsr-by-security-misc
+#install msr /usr/bin/disabled-cpumsr-by-security-misc
+
+## FireWire (IEEE 1394):
+## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks.
+##
+## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
+##
+install dv1394 /usr/bin/disabled-firewire-by-security-misc
+install firewire-core /usr/bin/disabled-firewire-by-security-misc
+install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
+install firewire-net /usr/bin/disabled-firewire-by-security-misc
+install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
+install ohci1394 /usr/bin/disabled-firewire-by-security-misc
+install raw1394 /usr/bin/disabled-firewire-by-security-misc
+install sbp2 /usr/bin/disabled-firewire-by-security-misc
+install video1394 /usr/bin/disabled-firewire-by-security-misc
+
+## Global Positioning Systems (GPS):
+## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
+##
+install garmin_gps /usr/bin/disabled-gps-by-security-misc
+install gnss /usr/bin/disabled-gps-by-security-misc
+install gnss-mtk /usr/bin/disabled-gps-by-security-misc
+install gnss-serial /usr/bin/disabled-gps-by-security-misc
+install gnss-sirf /usr/bin/disabled-gps-by-security-misc
+install gnss-ubx /usr/bin/disabled-gps-by-security-misc
+install gnss-usb /usr/bin/disabled-gps-by-security-misc
+
+## Intel Management Engine (ME):
+## Partially disable the Intel ME interface with the OS.
+## ME functionality has increasingly become intertwined with basic Intel system operation.
+## Disabling it may lead to breakages in various components without clear debugging/error messages.
+## It may affect firmware updates, security, power management, display, and DRM.
+##
+## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
+## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
+## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
+## https://github.com/Kicksecure/security-misc/issues/239
+##
+#install mei /usr/bin/disabled-intelme-by-security-misc
+#install mei-gsc /usr/bin/disabled-intelme-by-security-misc
+#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc
+#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc
+#install mei-me /usr/bin/disabled-intelme-by-security-misc
+#install mei_phy /usr/bin/disabled-intelme-by-security-misc
+#install mei_pxp /usr/bin/disabled-intelme-by-security-misc
+#install mei-txe /usr/bin/disabled-intelme-by-security-misc
+#install mei-vsc /usr/bin/disabled-intelme-by-security-misc
+#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc
+#install mei_wdt /usr/bin/disabled-intelme-by-security-misc
+#install microread_mei /usr/bin/disabled-intelme-by-security-misc
+
+## Intel Platform Monitoring Technology (PMT) Telemetry:
+## Disable certain functionalities of the Intel PMT components.
+##
+## https://www.intel.com/content/www/us/en/content-details/710389/intel-platform-monitoring-technology-intel-pmt-technical-specification.html
+## https://github.com/intel/Intel-PMT
+##
+install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
+install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
+install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
+
+## Thunderbolt:
+## Disable Thunderbolt modules to prevent certain DMA attacks.
+##
+## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
+##
+install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
+
+## 2. File Systems:
+
+## File Systems:
+## Disable uncommon file systems to reduce attack surface.
+## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
+##
+## https://docs.kernel.org/filesystems/index.html
+## https://github.com/secureblue/secureblue/tree/live/files/system/usr/lib/modprobe.d
+##
+install adfs /usr/bin/disabled-filesys-by-security-misc
+install affs /usr/bin/disabled-filesys-by-security-misc
+install afs /usr/bin/disabled-filesys-by-security-misc
+install befs /usr/bin/disabled-filesys-by-security-misc
+install ceph /usr/bin/disabled-filesys-by-security-misc
+install coda /usr/bin/disabled-filesys-by-security-misc
+install cramfs /usr/bin/disabled-filesys-by-security-misc
+install ecryptfs /usr/bin/disabled-filesys-by-security-misc
+install freevxfs /usr/bin/disabled-filesys-by-security-misc
+install hfs /usr/bin/disabled-filesys-by-security-misc
+install hfsplus /usr/bin/disabled-filesys-by-security-misc
+install jffs2 /usr/bin/disabled-filesys-by-security-misc
+install jfs /usr/bin/disabled-filesys-by-security-misc
+install kafs /usr/bin/disabled-filesys-by-security-misc
+install minix /usr/bin/disabled-filesys-by-security-misc
+install nilfs2 /usr/bin/disabled-filesys-by-security-misc
+install ocfs2 /usr/bin/disabled-filesys-by-security-misc
+install orangefs /usr/bin/disabled-filesys-by-security-misc
+install reiserfs /usr/bin/disabled-filesys-by-security-misc
+install romfs /usr/bin/disabled-filesys-by-security-misc
+install sysv /usr/bin/disabled-filesys-by-security-misc
+install ubifs /usr/bin/disabled-filesys-by-security-misc
+install udf /usr/bin/disabled-filesys-by-security-misc
+install ufs /usr/bin/disabled-filesys-by-security-misc
+install zonefs /usr/bin/disabled-filesys-by-security-misc
+
+## Network File Systems:
+## Disable uncommon network file systems to reduce attack surface.
+## Currently 9p is required for KVM shared folders in Whonix.
+##
+## https://www.whonix.org/wiki/KVM#Shared_Folder
+##
+#install 9p /usr/bin/disabled-netfilesys-by-security-misc
+install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
+install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
+
+## Network File System - Common Internet File System (CIFS):
+##
+install cifs /usr/bin/disabled-netfilesys-by-security-misc
+install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc
+install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc
+
+## Network File System - Network File System (NFS):
+##
+install nfs /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc
+install nfsd /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
+
+## 2. Networking:
+
+## Network Protocols:
+## Disable rare and unneeded network protocols that are a common source of unknown vulnerabilities.
+## Previously had blacklisted eepro100 and eth1394.
+##
+## https://tails.boum.org/blueprint/blacklist_modules/
+## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
+## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015
+##
+install af_802154 /usr/bin/disabled-network-by-security-misc
+install appletalk /usr/bin/disabled-network-by-security-misc
+install ax25 /usr/bin/disabled-network-by-security-misc
+install decnet /usr/bin/disabled-network-by-security-misc
+install dccp /usr/bin/disabled-network-by-security-misc
+install econet /usr/bin/disabled-network-by-security-misc
+install eepro100 /usr/bin/disabled-network-by-security-misc
+install eth1394 /usr/bin/disabled-network-by-security-misc
+install ipx /usr/bin/disabled-network-by-security-misc
+install n-hdlc /usr/bin/disabled-network-by-security-misc
+install netrom /usr/bin/disabled-network-by-security-misc
+install p8022 /usr/bin/disabled-network-by-security-misc
+install p8023 /usr/bin/disabled-network-by-security-misc
+install psnap /usr/bin/disabled-network-by-security-misc
+install rose /usr/bin/disabled-network-by-security-misc
+install x25 /usr/bin/disabled-network-by-security-misc
+
+## Network Protocol - Asynchronous Transfer Mode (ATM):
+##
+install atm /usr/bin/disabled-network-by-security-misc
+install ueagle-atm /usr/bin/disabled-network-by-security-misc
+install usbatm /usr/bin/disabled-network-by-security-misc
+install xusbatm /usr/bin/disabled-network-by-security-misc
+
+## Network Protocol - Controller Area Network (CAN):
+##
+install c_can /usr/bin/disabled-network-by-security-misc
+install c_can_pci /usr/bin/disabled-network-by-security-misc
+install c_can_platform /usr/bin/disabled-network-by-security-misc
+install can /usr/bin/disabled-network-by-security-misc
+install can-bcm /usr/bin/disabled-network-by-security-misc
+install can-dev /usr/bin/disabled-network-by-security-misc
+install can-gw /usr/bin/disabled-network-by-security-misc
+install can-isotp /usr/bin/disabled-network-by-security-misc
+install can-raw /usr/bin/disabled-network-by-security-misc
+install can-j1939 /usr/bin/disabled-network-by-security-misc
+install can327 /usr/bin/disabled-network-by-security-misc
+install ifi_canfd /usr/bin/disabled-network-by-security-misc
+install janz-ican3 /usr/bin/disabled-network-by-security-misc
+install m_can /usr/bin/disabled-network-by-security-misc
+install m_can_pci /usr/bin/disabled-network-by-security-misc
+install m_can_platform /usr/bin/disabled-network-by-security-misc
+install phy-can-transceiver /usr/bin/disabled-network-by-security-misc
+install slcan /usr/bin/disabled-network-by-security-misc
+install ucan /usr/bin/disabled-network-by-security-misc
+install vxcan /usr/bin/disabled-network-by-security-misc
+install vcan /usr/bin/disabled-network-by-security-misc
+
+## Network Protocol - Transparent Inter Process Communication (TIPC):
+##
+install tipc /usr/bin/disabled-network-by-security-misc
+install tipc_diag /usr/bin/disabled-network-by-security-misc
+
+## Network Protocol - Reliable Datagram Sockets (RDS):
+##
+install rds /usr/bin/disabled-network-by-security-misc
+install rds_rdma /usr/bin/disabled-network-by-security-misc
+install rds_tcp /usr/bin/disabled-network-by-security-misc
+
+## Network Protocol - Stream Control Transmission Protocol (SCTP):
+##
+install sctp /usr/bin/disabled-network-by-security-misc
+install sctp_diag /usr/bin/disabled-network-by-security-misc
+
+## 4. Miscellaneous:
+
+## Amateur Radios:
+##
+install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Floppy Disks:
+##
+install floppy /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Framebuffer (fbdev):
+## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
+## These were all previously blacklisted.
+##
+## https://docs.kernel.org/fb/index.html
+## https://en.wikipedia.org/wiki/Linux_framebuffer
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+##
+install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
+install atyfb /usr/bin/disabled-framebuffer-by-security-misc
+install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
+install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
+install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
+install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
+install hgafb /usr/bin/disabled-framebuffer-by-security-misc
+install i810fb /usr/bin/disabled-framebuffer-by-security-misc
+install intelfb /usr/bin/disabled-framebuffer-by-security-misc
+install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
+install lxfb /usr/bin/disabled-framebuffer-by-security-misc
+install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc
+install neofb /usr/bin/disabled-framebuffer-by-security-misc
+install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
+install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
+install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
+install rivafb /usr/bin/disabled-framebuffer-by-security-misc
+install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
+install savagefb /usr/bin/disabled-framebuffer-by-security-misc
+install sisfb /usr/bin/disabled-framebuffer-by-security-misc
+install sstfb /usr/bin/disabled-framebuffer-by-security-misc
+install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
+install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
+install vesafb /usr/bin/disabled-framebuffer-by-security-misc
+install vfb /usr/bin/disabled-framebuffer-by-security-misc
+install viafb /usr/bin/disabled-framebuffer-by-security-misc
+install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
+install udlfb /usr/bin/disabled-framebuffer-by-security-misc
+
+## Joysticks:
+##
+## https://docs.kernel.org/input/joydev/joystick.html
+##
+install joydev /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Replaced Modules:
+## These legacy drivers have all been entirely replaced and superseded by newer drivers.
+## Many of these were previously blacklisted.
+##
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+##
+install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
+install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
+install brcm80211 /usr/bin/disabled-miscellaneous-by-security-misc
+install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
+install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
+
+## RNDIS:
+## Disable as believed to have unfixable buffer overflow issues impossible to make secure.
+## Used by some network devices common with Android USB tethering.
+##
+## https://en.wikipedia.org/wiki/RNDIS
+## https://lkml.org/lkml/2022/11/23/728
+## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/
+##
+install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc
+install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc
+
+## USB Video Device Class:
+## Disable the USB-based video streaming driver for devices like some webcams and digital camcorders.
+##
+#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Vivid:
+## Disable the vivid kernel module since it has been the cause of multiple vulnerabilities.
+## Required only for running tests associated with the Qubes Video Companion.
+##
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393
+## https://github.com/Kicksecure/security-misc/issues/298
+##
+#install vivid /usr/bin/disabled-miscellaneous-by-security-misc

etc/permission-hardening.d/25_default_sudo.conf

@@ -1,20 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-## https://forums.whonix.org/t/restrict-root-access/7658/116
-## This restricts the file permissions of the sudo executable so that a vulnerability
-## in the program will not be exploitable by any users not in the "sudo" group. sudo
-## is a very complex program and is setuid so vulnerabilities in it can allow privilege
-## escalation, regardless of other root access restrictions. For example, the following
-## buffer overflow vulnerability could have been exploited by any user on the system:
-## https://www.openwall.com/lists/oss-security/2021/01/26/3
-## With this restriction, only users explicitly permitted to use sudo by being added to
-## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a
-## compromised network-facing daemon (such as web servers, time synchronization daemons,
-## etc.)  running as its own user from exploiting sudo to escalate privileges.
-#/usr/bin/sudo 4750 root sudo
-#/bin/sudo 4750 root sudo

etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf

@@ -1,9 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-/usr/bin/bwrap exactwhitelist
-/bin/bwrap exactwhitelist

etc/permission-hardening.d/25_default_whitelist_chromium.conf

@@ -1,8 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-/usr/lib/chromium/chrome-sandbox exactwhitelist

etc/permission-hardening.d/25_default_whitelist_dbus.conf

@@ -1,8 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-dbus-daemon-launch-helper matchwhitelist

etc/permission-hardening.d/25_default_whitelist_firejail.conf

@@ -1,11 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-## There is a controversy about firejail but those who choose to install it
-## should be able to use it.
-## https://www.whonix.org/wiki/Dev/Firejail#Security
-/usr/bin/firejail exactwhitelist

etc/permission-hardening.d/25_default_whitelist_fuse.conf

@@ -1,10 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-## required for AppImages such as electrum Bitcoin wallet
-## https://forums.whonix.org/t/disable-suid-binaries/7706/57
-/fusermount matchwhitelist

etc/permission-hardening.d/25_default_whitelist_mount.conf

@@ -1,17 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-## https://forums.whonix.org/t/disable-suid-binaries/7706/61
-## Protect from 'chmod -x' (and SUID removal).
-## SUID will be removed below in separate step.
-/bin/mount exactwhitelist
-/usr/bin/mount exactwhitelist
-
-## Remove SUID from 'mount' but keep executable.
-## https://forums.whonix.org/t/disable-suid-binaries/7706/61
-/bin/mount 745 root root
-/usr/bin/mount 745 root root

etc/permission-hardening.d/25_default_whitelist_policykit.conf

@@ -1,17 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-/usr/bin/pkexec exactwhitelist
-/bin/pkexec exactwhitelist
-/usr/bin/pkexec.security-misc-orig exactwhitelist
-/bin/pkexec.security-misc-orig exactwhitelist
-
-## TODO: research
-## match both:
-#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
-#/lib/policykit-1/polkit-agent-helper-1
-polkit-agent-helper-1 matchwhitelist

etc/permission-hardening.d/25_default_whitelist_qubes.conf

@@ -1,13 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-## TODO: research
-## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
-## match both:
-#/usr/lib/qubes/qfile-unpacker whitelist
-#/lib/qubes/qfile-unpacker
-/qubes/qfile-unpacker matchwhitelist

etc/permission-hardening.d/25_default_whitelist_selinux.conf

@@ -1,8 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-/utempter/utempter matchwhitelist

etc/permission-hardening.d/25_default_whitelist_spice.conf

@@ -1,8 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist

etc/permission-hardening.d/25_default_whitelist_sudo.conf

@@ -1,9 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-/usr/bin/sudo exactwhitelist
-/bin/sudo exactwhitelist

etc/permission-hardening.d/25_default_whitelist_virtualbox.conf

@@ -1,9 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Please use "/etc/permission-hardening.d/20_user.conf" or
-## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
-## configuration. When security-misc is updated, this file may be overwritten.
-
-## TODO: research
-/usr/lib/virtualbox/ matchwhitelist

etc/profile.d/30_security-misc.sh#security-misc-shared

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -z "$XDG_CONFIG_DIRS" ]; then
+   XDG_CONFIG_DIRS="/etc:/etc/xdg:/usr/share"
+fi
+if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then
+   export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS"
+fi

etc/securetty.security-misc

@@ -1,2 +0,0 @@
-# /etc/securetty: list of terminals on which root is allowed to login.
-# See securetty(5) and login(1).

etc/securetty.security-misc#security-misc-shared

@@ -0,0 +1,5 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).

etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared

@@ -0,0 +1,34 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Please use "/etc/security-misc/emerg-shutdown/50_user.conf" or
+## "/usr/local/etc/security-misc/emerg-shutdown/50_user.conf"
+## for your custom configuration, which will override the defaults found here.
+## When Kicksecure is updated, this file may be overwritten.
+
+## Set the key combo for forcing immediate shutdown. See the "Keys and
+## buttons" section of "/usr/include/linux/input-event-codes.h" for possibly
+## supported values. Not all keys are supported.
+##
+## All specified keys must be depressed at the same time to trigger a
+## shutdown. Use a comma (",") to separate keys. If you want to alias certain
+## keys to each other from emerg-shutdown's standpoint, use a pipe
+## character("|").
+##
+## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is
+## pressed, allowing the use of either the left or right Ctrl and Alt keys.
+EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_END"
+
+## Set the maximum number of seconds shutdown can take. If shutdown gets stuck
+## for longer than this, the system will forcibly power down.
+##
+## NOTE: This requires ensure-shutdown.service and
+## ensure-shutdown-trigger.service to be enabled, which is not done by
+## default. Enabling ensure-shutdown.service will cause shutdown to always
+## take at least as long as systemd's DefaultTimeoutStopSec (which by default
+## is 90 seconds). If you are going to enable ensure-shutdown.service, it is
+## highly recommended to set DefaultTimeoutStopSec to a much smaller value,
+## such as 5 seconds. The maximum shutdown time set here should be at least 10
+## seconds *longer* than DefaultTimeoutStopSec, to give normal shutdown a
+## chance to actually succeed before forcibly shutting down the system.
+ENSURE_SHUTDOWN_TIMEOUT=30

etc/security/access-security-misc.conf#security-misc-shared

@@ -1,8 +1,8 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## To enable root login, see:
-## https://www.whonix.org/wiki/Root#Root_Login
+## https://www.kicksecure.com/wiki/Root#Root_Login
 
 ## Console Lockdown
 ## https://forums.whonix.org/t/etc-security-hardening/8592
@@ -33,7 +33,7 @@
 +:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
 
 ## Same as above also for members of group `sudo`.
-## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
+## https://github.com/Kicksecure/security-misc/pull/74#issuecomment-607748407
 +:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
 
 ## Everyone else except members of group 'console-unrestricted'

etc/security/faillock.conf.security-misc#security-misc-shared

@@ -1,9 +1,12 @@
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
 # Configuration for locking the user after multiple failed
 # authentication attempts.
 #
 # The directory where the user files with the failure records are kept.
 # The default is /var/run/faillock.
-# dir = /var/run/faillock
+dir = /var/lib/security-misc/faillock
 #
 # Will log the user name into the system log if the user is not found.
 # Enabled if option is present.
@@ -35,14 +38,19 @@ deny = 50
 # authentication failures must happen for the user account
 # lock out is <replaceable>n</replaceable> seconds.
 # The default is 900 (15 minutes).
-# fail_interval = 900
+# security-misc note: the interval should be set to infinity if possible,
+# however pam_faillock arbitrarily limits this variable to a maximum of 604800
+# seconds (7 days). See
+# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59
+# for details. Therefore we set this to the maximum allowable value of 7 days.
+fail_interval = 604800
 #
 # The access will be re-enabled after n seconds after the lock out.
 # The value 0 has the same meaning as value `never` - the access
 # will not be re-enabled without resetting the faillock
 # entries by the `faillock` command.
 # The default is 600 (10 minutes).
-# unlock_time = 600
+unlock_time = never
 #
 # Root account can become locked as well as regular accounts.
 # Enabled if option is present.

etc/security/limits.d/30_security-misc.conf

@@ -1,5 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Disable coredumps.
-* hard core 0

etc/security/limits.d/30_security-misc.conf#security-misc-shared

@@ -0,0 +1,7 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Disable core dumps.
+## `-` in the second field sets both hard and soft limits at the same time.
+## See `man 5 limits.conf`.
+* - core 0

etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<!-- ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> -->
+<!-- ## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org> -->
 <!-- ## See the file COPYING for copying conditions. -->
 
 <!-- Configuration for Thunar. -->

etc/skel/.gnupg/gpg.conf#security-misc-shared

@@ -282,13 +282,13 @@ display-charset utf-8
 ##################################################################
 
 ##################################################################
-## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html
+## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html
 
 personal-digest-preferences SHA512
 cert-digest-algo SHA512
 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
 
-## END Some suggestions from Debian http://keyring.debian.org/creating-key.html
+## END Some suggestions from Debian https://keyring.debian.org/creating-key.html
 ##################################################################
 
 ##################################################################

etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared

@@ -0,0 +1,22 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Don't edit this file, to overwrite any options, edit a file with a higher
+## number that is read later by SSH, such as
+## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not
+## need to be system-wide, you may also consider placing overrides in
+## ~/.ssh/config.
+
+## See also:
+## https://www.kicksecure.com/wiki/SSH#Client_Configuration_File
+
+Host *
+  VisualHostKey yes
+  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+  MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+  KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
+  ## To force the use of quantum-resistant key exchange algorithms, override
+  ## the above with
+  # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
+  HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519
+  PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519

etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared

@@ -0,0 +1,78 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Don't edit this file, to overwrite any options, edit a file with a higher
+## number that is read later by SSHD, such as
+## '/etc/ssh/sshd_config.d/50_user.conf'.
+
+## See also:
+## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File
+
+## Number of allowed login attempts per connection.
+MaxAuthTries 3
+
+## Require strong ciphers and algorithms.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKeyAlgorithms ssh-ed25519
+PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
+## To force the use of quantum-resistant key exchange algorithms, override the
+## above with
+# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
+
+## Override with 'no' to fully deny root login, or leave this as
+## 'prohibit-password' for denying root password login but still allowing
+## other authentication methods such as public key.
+PermitRootLogin prohibit-password
+
+## Public key authentication is transparent, non-interactive and more secure.
+PasswordAuthentication no
+
+## Change to 'yes' to enable challenge-response passwords (beware issues with
+## some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+## PAM can be used for account and session processing when using
+## ChallengeResponseAuthentication or PasswordAuthentication.
+##
+## Depending on your PAM configuration, PAM authentication via
+## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin
+## without-password".
+##
+## If you want PAM account and session checks to run without PAM
+## authentication, then enable this but set PasswordAuthentication and
+## ChallengeResponseAuthentication to 'no'.
+##
+## The default upstream is 'no', Debian sets this to 'yes'. If using a locked
+## account, read:
+##   https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
+## We set it to 'yes' to work with libpam-tmpdir.
+##   https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir
+## Also folders such as '/run/user/1000' will exist thanks to PAM.
+## The absence of that folder can lead to issues (such as with msgcollector).
+UsePAM yes
+
+## Block dangerous forwarding.
+AllowAgentForwarding no
+AllowTcpForwarding no
+X11Forwarding no
+
+## Hide unnecessary login banners.
+PrintMotd no
+#Banner /etc/issue.net
+#Hiding Debian version from SSH banner (obscurity)
+DebianBanner no
+
+## Some options are dangerous but may be required in certain circumstances. As
+## an example, if forwarding is required, selectively allow it with a 'Match'
+## block. Consider a new separate user named 'tunnel' which wants to forward
+## its local port to be available on the server on port 443. Note that a
+## tunnel user doesn't even require a TTY nor a shell, so don't forget to
+## change the 'tunnel' shell to something that prevents login such as
+## '/usr/sbin/nologin'.
+#Match User tunnel
+#  AllowTcpForwarding yes
+#  PermitListen localhost:443
+#  PermitTTY no

etc/sudoers.d/pkexec-security-misc

@@ -1,11 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## REVIEW: is it ok that users can find out the PATH setting of root?
-#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path
-
-## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
-## set. Would otherwise error out with the following error message:
-## "This program must only be run through pkexec"
-## REVIEW: Can bad things be done by spoofing PKEXEC_UID?
-#Defaults:ALL env_keep += "PKEXEC_UID"

etc/sudoers.d/security-misc

@@ -1,5 +0,0 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
-%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops

etc/sudoers.d/security-misc#security-misc-shared

@@ -0,0 +1,12 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Neither of these are needed.
+#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+
+## Use a more open umask when executing commands with sudo
+## Can be overridden on a per-user basis using .[z]profile if desirable
+## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening
+Defaults umask_override
+Defaults umask=0022

etc/sudoers.d/security-misc-desktop#security-misc-desktop

@@ -0,0 +1,6 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Don't attempt to determine the local machine's FQDN via DNS. This can leak
+## the machine's hostname in cleartext to the configured DNS server.
+Defaults !fqdn

etc/sudoers.d/xfce-security-misc

@@ -1,19 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
-## /usr/share/polkit-1/actions/org.xfce.power.policy
-
-## Feel free to out comment this if you are not using xfce4-power-manager or XFCE.
-
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]]
-
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]]
-
-## XXX: Should we allow this?
-#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend
-#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate

etc/sysctl.d/30_security-misc.conf

@@ -1,160 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
-## security-misc also disables coredumps in other ways.
-kernel.core_pattern=|/bin/false
-
-## Restricts the kernel log to root only.
-kernel.dmesg_restrict=1
-
-## Don't allow writes to files that we don't own
-## in world writable sticky directories, unless
-## they are owned by the owner of the directory.
-fs.protected_fifos=2
-fs.protected_regular=2
-
-## Only allow symlinks to be followed when outside of
-## a world-writable sticky directory, or when the owner
-## of the symlink and follower match, or when the directory
-## owner matches the symlink's owner.
-##
-## Prevent hardlinks from being created by users that do not
-## have read/write access to the source file.
-##
-## These prevent many TOCTOU races.
-fs.protected_symlinks=1
-fs.protected_hardlinks=1
-
-## Hardens the BPF JIT compiler and restricts it to root.
-kernel.unprivileged_bpf_disabled=1
-net.core.bpf_jit_harden=2
-
-## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
-##
-## kexec_load_disabled:
-##
-## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
-
-## Disables kexec which can be used to replace the running kernel.
-kernel.kexec_load_disabled=1
-
-## Hides kernel addresses in various files in /proc.
-## Kernel addresses can be very useful in certain exploits.
-##
-## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
-kernel.kptr_restrict=2
-
-## Improves ASLR effectiveness for mmap.
-vm.mmap_rnd_bits=32
-vm.mmap_rnd_compat_bits=16
-
-## Restricts the use of ptrace to root. This might break some programs running under WINE.
-## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
-##
-## sudo apt-get install libcap2-bin
-## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
-## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
-kernel.yama.ptrace_scope=2
-
-## Prevent setuid processes from creating coredumps.
-fs.suid_dumpable=0
-
-
-#### meta start
-#### project Kicksecure
-#### category networking and security
-#### description
-## TCP/IP stack hardening
-
-## Protects against time-wait assassination.
-## It drops RST packets for sockets in the time-wait state.
-net.ipv4.tcp_rfc1337=1
-
-## Disables ICMP redirect acceptance.
-net.ipv4.conf.all.accept_redirects=0
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.all.secure_redirects=0
-net.ipv4.conf.default.secure_redirects=0
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.default.accept_redirects=0
-
-## Disables ICMP redirect sending.
-net.ipv4.conf.all.send_redirects=0
-net.ipv4.conf.default.send_redirects=0
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.default.accept_redirects=0
-
-## Ignores ICMP requests.
-net.ipv4.icmp_echo_ignore_all=1
-
-## Enables TCP syncookies.
-net.ipv4.tcp_syncookies=1
-
-## Disable source routing.
-net.ipv4.conf.all.accept_source_route=0
-net.ipv4.conf.default.accept_source_route=0
-net.ipv6.conf.all.accept_source_route=0
-net.ipv6.conf.default.accept_source_route=0
-
-## Enable reverse path filtering to prevent IP spoofing and
-## mitigate vulnerabilities such as CVE-2019-14899.
-## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
-net.ipv4.conf.default.rp_filter=1
-net.ipv4.conf.all.rp_filter=1
-
-#### meta end
-
-
-## Disables SACK as it is commonly exploited and likely not needed.
-## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
-#net.ipv4.tcp_sack=0
-#net.ipv4.tcp_dsack=0
-#net.ipv4.tcp_fack=0
-
-
-#### meta start
-#### project Kicksecure
-#### category networking and security
-#### description
-## disable IPv4 TCP Timestamps
-
-net.ipv4.tcp_timestamps=0
-
-#### meta end
-
-
-## Only allow the SysRq key to be used for shutdowns and the
-## Secure Attention Key (SAK).
-##
-## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
-kernel.sysrq=132
-
-## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
-## unprivileged attackers from loading vulnerable line disciplines
-## with the TIOCSETD ioctl which has been used in exploits before
-## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
-##
-## https://lkml.org/lkml/2019/4/15/890
-dev.tty.ldisc_autoload=0
-
-## Restrict the userfaultfd() syscall to root as it can make heap sprays
-## easier.
-##
-## https://duasynt.com/blog/linux-kernel-heap-spray
-vm.unprivileged_userfaultfd=0
-
-## Let the kernel only swap if it is absolutely necessary.
-## Better not be set to zero:
-## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
-## - https://en.wikipedia.org/wiki/Swappiness
-vm.swappiness=1
-
-## Disallow kernel profiling by users without CAP_SYS_ADMIN
-## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
-kernel.perf_event_paranoid=3
-
-# Do not accept router advertisments
-net.ipv6.conf.all.accept_ra=0
-net.ipv6.conf.default.accept_ra=0
-

etc/sysctl.d/30_silent-kernel-printk.conf

@@ -1,6 +0,0 @@
-## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Prevent kernel info leaks in console during boot.
-## https://phabricator.whonix.org/T950
-kernel.printk = 3 3 3 3

etc/systemd/system/emergency.service.d/override.conf#security-misc-shared

@@ -1,3 +1,6 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
 ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d
 

etc/systemd/system/rescue.service.d/override.conf#security-misc-shared

@@ -1,3 +1,6 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
 ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d