diff --git a/COPYING b/COPYING index 829d909..3b0825d 100644 --- a/COPYING +++ b/COPYING @@ -1,668 +1,73 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC -License: AGPL-3+ - -License: AGPL-3+ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - . - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - . - Preamble - . - The GNU Affero General Public License is a free, copyleft license for - software and other kinds of works, specifically designed to ensure - cooperation with the community in the case of network server software. - . - The licenses for most software and other practical works are designed - to take away your freedom to share and change the works. By contrast, - our General Public Licenses are intended to guarantee your freedom to - share and change all versions of a program--to make sure it remains free - software for all its users. - . - When we speak of free software, we are referring to freedom, not - price. Our General Public Licenses are designed to make sure that you - have the freedom to distribute copies of free software (and charge for - them if you wish), that you receive source code or can get it if you - want it, that you can change the software or use pieces of it in new - free programs, and that you know you can do these things. - . - Developers that use our General Public Licenses protect your rights - with two steps: (1) assert copyright on the software, and (2) offer - you this License which gives you legal permission to copy, distribute - and/or modify the software. - . - A secondary benefit of defending all users' freedom is that - improvements made in alternate versions of the program, if they - receive widespread use, become available for other developers to - incorporate. Many developers of free software are heartened and - encouraged by the resulting cooperation. However, in the case of - software used on network servers, this result may fail to come about. - The GNU General Public License permits making a modified version and - letting the public access it on a server without ever releasing its - source code to the public. - . - The GNU Affero General Public License is designed specifically to - ensure that, in such cases, the modified source code becomes available - to the community. It requires the operator of a network server to - provide the source code of the modified version running there to the - users of that server. Therefore, public use of a modified version, on - a publicly accessible server, gives the public access to the source - code of the modified version. - . - An older license, called the Affero General Public License and - published by Affero, was designed to accomplish similar goals. This is - a different license, not a version of the Affero GPL, but Affero has - released a new version of the Affero GPL which permits relicensing under - this license. - . - The precise terms and conditions for copying, distribution and - modification follow. - . - TERMS AND CONDITIONS - . - 0. Definitions. - . - "This License" refers to version 3 of the GNU Affero General Public License. - . - "Copyright" also means copyright-like laws that apply to other kinds of - works, such as semiconductor masks. - . - "The Program" refers to any copyrightable work licensed under this - License. Each licensee is addressed as "you". "Licensees" and - "recipients" may be individuals or organizations. - . - To "modify" a work means to copy from or adapt all or part of the work - in a fashion requiring copyright permission, other than the making of an - exact copy. The resulting work is called a "modified version" of the - earlier work or a work "based on" the earlier work. - . - A "covered work" means either the unmodified Program or a work based - on the Program. - . - To "propagate" a work means to do anything with it that, without - permission, would make you directly or secondarily liable for - infringement under applicable copyright law, except executing it on a - computer or modifying a private copy. Propagation includes copying, - distribution (with or without modification), making available to the - public, and in some countries other activities as well. - . - To "convey" a work means any kind of propagation that enables other - parties to make or receive copies. Mere interaction with a user through - a computer network, with no transfer of a copy, is not conveying. - . - An interactive user interface displays "Appropriate Legal Notices" - to the extent that it includes a convenient and prominently visible - feature that (1) displays an appropriate copyright notice, and (2) - tells the user that there is no warranty for the work (except to the - extent that warranties are provided), that licensees may convey the - work under this License, and how to view a copy of this License. If - the interface presents a list of user commands or options, such as a - menu, a prominent item in the list meets this criterion. - . - 1. Source Code. - . - The "source code" for a work means the preferred form of the work - for making modifications to it. "Object code" means any non-source - form of a work. - . - A "Standard Interface" means an interface that either is an official - standard defined by a recognized standards body, or, in the case of - interfaces specified for a particular programming language, one that - is widely used among developers working in that language. - . - The "System Libraries" of an executable work include anything, other - than the work as a whole, that (a) is included in the normal form of - packaging a Major Component, but which is not part of that Major - Component, and (b) serves only to enable use of the work with that - Major Component, or to implement a Standard Interface for which an - implementation is available to the public in source code form. A - "Major Component", in this context, means a major essential component - (kernel, window system, and so on) of the specific operating system - (if any) on which the executable work runs, or a compiler used to - produce the work, or an object code interpreter used to run it. - . - The "Corresponding Source" for a work in object code form means all - the source code needed to generate, install, and (for an executable - work) run the object code and to modify the work, including scripts to - control those activities. However, it does not include the work's - System Libraries, or general-purpose tools or generally available free - programs which are used unmodified in performing those activities but - which are not part of the work. For example, Corresponding Source - includes interface definition files associated with source files for - the work, and the source code for shared libraries and dynamically - linked subprograms that the work is specifically designed to require, - such as by intimate data communication or control flow between those - subprograms and other parts of the work. - . - The Corresponding Source need not include anything that users - can regenerate automatically from other parts of the Corresponding - Source. - . - The Corresponding Source for a work in source code form is that - same work. - . - 2. Basic Permissions. - . - All rights granted under this License are granted for the term of - copyright on the Program, and are irrevocable provided the stated - conditions are met. This License explicitly affirms your unlimited - permission to run the unmodified Program. The output from running a - covered work is covered by this License only if the output, given its - content, constitutes a covered work. This License acknowledges your - rights of fair use or other equivalent, as provided by copyright law. - . - You may make, run and propagate covered works that you do not - convey, without conditions so long as your license otherwise remains - in force. You may convey covered works to others for the sole purpose - of having them make modifications exclusively for you, or provide you - with facilities for running those works, provided that you comply with - the terms of this License in conveying all material for which you do - not control copyright. Those thus making or running the covered works - for you must do so exclusively on your behalf, under your direction - and control, on terms that prohibit them from making any copies of - your copyrighted material outside their relationship with you. - . - Conveying under any other circumstances is permitted solely under - the conditions stated below. Sublicensing is not allowed; section 10 - makes it unnecessary. - . - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - . - No covered work shall be deemed part of an effective technological - measure under any applicable law fulfilling obligations under article - 11 of the WIPO copyright treaty adopted on 20 December 1996, or - similar laws prohibiting or restricting circumvention of such - measures. - . - When you convey a covered work, you waive any legal power to forbid - circumvention of technological measures to the extent such circumvention - is effected by exercising rights under this License with respect to - the covered work, and you disclaim any intention to limit operation or - modification of the work as a means of enforcing, against the work's - users, your or third parties' legal rights to forbid circumvention of - technological measures. - . - 4. Conveying Verbatim Copies. - . - You may convey verbatim copies of the Program's source code as you - receive it, in any medium, provided that you conspicuously and - appropriately publish on each copy an appropriate copyright notice; - keep intact all notices stating that this License and any - non-permissive terms added in accord with section 7 apply to the code; - keep intact all notices of the absence of any warranty; and give all - recipients a copy of this License along with the Program. - . - You may charge any price or no price for each copy that you convey, - and you may offer support or warranty protection for a fee. - . - 5. Conveying Modified Source Versions. - . - You may convey a work based on the Program, or the modifications to - produce it from the Program, in the form of source code under the - terms of section 4, provided that you also meet all of these conditions: - . - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - . - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - . - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - . - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - . - A compilation of a covered work with other separate and independent - works, which are not by their nature extensions of the covered work, - and which are not combined with it such as to form a larger program, - in or on a volume of a storage or distribution medium, is called an - "aggregate" if the compilation and its resulting copyright are not - used to limit the access or legal rights of the compilation's users - beyond what the individual works permit. Inclusion of a covered work - in an aggregate does not cause this License to apply to the other - parts of the aggregate. - . - 6. Conveying Non-Source Forms. - . - You may convey a covered work in object code form under the terms - of sections 4 and 5, provided that you also convey the - machine-readable Corresponding Source under the terms of this License, - in one of these ways: - . - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - . - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - . - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - . - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - . - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - . - A separable portion of the object code, whose source code is excluded - from the Corresponding Source as a System Library, need not be - included in conveying the object code work. - . - A "User Product" is either (1) a "consumer product", which means any - tangible personal property which is normally used for personal, family, - or household purposes, or (2) anything designed or sold for incorporation - into a dwelling. In determining whether a product is a consumer product, - doubtful cases shall be resolved in favor of coverage. For a particular - product received by a particular user, "normally used" refers to a - typical or common use of that class of product, regardless of the status - of the particular user or of the way in which the particular user - actually uses, or expects or is expected to use, the product. A product - is a consumer product regardless of whether the product has substantial - commercial, industrial or non-consumer uses, unless such uses represent - the only significant mode of use of the product. - . - "Installation Information" for a User Product means any methods, - procedures, authorization keys, or other information required to install - and execute modified versions of a covered work in that User Product from - a modified version of its Corresponding Source. The information must - suffice to ensure that the continued functioning of the modified object - code is in no case prevented or interfered with solely because - modification has been made. - . - If you convey an object code work under this section in, or with, or - specifically for use in, a User Product, and the conveying occurs as - part of a transaction in which the right of possession and use of the - User Product is transferred to the recipient in perpetuity or for a - fixed term (regardless of how the transaction is characterized), the - Corresponding Source conveyed under this section must be accompanied - by the Installation Information. But this requirement does not apply - if neither you nor any third party retains the ability to install - modified object code on the User Product (for example, the work has - been installed in ROM). - . - The requirement to provide Installation Information does not include a - requirement to continue to provide support service, warranty, or updates - for a work that has been modified or installed by the recipient, or for - the User Product in which it has been modified or installed. Access to a - network may be denied when the modification itself materially and - adversely affects the operation of the network or violates the rules and - protocols for communication across the network. - . - Corresponding Source conveyed, and Installation Information provided, - in accord with this section must be in a format that is publicly - documented (and with an implementation available to the public in - source code form), and must require no special password or key for - unpacking, reading or copying. - . - 7. Additional Terms. - . - "Additional permissions" are terms that supplement the terms of this - License by making exceptions from one or more of its conditions. - Additional permissions that are applicable to the entire Program shall - be treated as though they were included in this License, to the extent - that they are valid under applicable law. If additional permissions - apply only to part of the Program, that part may be used separately - under those permissions, but the entire Program remains governed by - this License without regard to the additional permissions. - . - When you convey a copy of a covered work, you may at your option - remove any additional permissions from that copy, or from any part of - it. (Additional permissions may be written to require their own - removal in certain cases when you modify the work.) You may place - additional permissions on material, added by you to a covered work, - for which you have or can give appropriate copyright permission. - . - Notwithstanding any other provision of this License, for material you - add to a covered work, you may (if authorized by the copyright holders of - that material) supplement the terms of this License with terms: - . - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - . - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - . - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - . - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - . - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - . - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - . - All other non-permissive additional terms are considered "further - restrictions" within the meaning of section 10. If the Program as you - received it, or any part of it, contains a notice stating that it is - governed by this License along with a term that is a further - restriction, you may remove that term. If a license document contains - a further restriction but permits relicensing or conveying under this - License, you may add to a covered work material governed by the terms - of that license document, provided that the further restriction does - not survive such relicensing or conveying. - . - If you add terms to a covered work in accord with this section, you - must place, in the relevant source files, a statement of the - additional terms that apply to those files, or a notice indicating - where to find the applicable terms. - . - Additional terms, permissive or non-permissive, may be stated in the - form of a separately written license, or stated as exceptions; - the above requirements apply either way. - . - 8. Termination. - . - You may not propagate or modify a covered work except as expressly - provided under this License. Any attempt otherwise to propagate or - modify it is void, and will automatically terminate your rights under - this License (including any patent licenses granted under the third - paragraph of section 11). - . - However, if you cease all violation of this License, then your - license from a particular copyright holder is reinstated (a) - provisionally, unless and until the copyright holder explicitly and - finally terminates your license, and (b) permanently, if the copyright - holder fails to notify you of the violation by some reasonable means - prior to 60 days after the cessation. - . - Moreover, your license from a particular copyright holder is - reinstated permanently if the copyright holder notifies you of the - violation by some reasonable means, this is the first time you have - received notice of violation of this License (for any work) from that - copyright holder, and you cure the violation prior to 30 days after - your receipt of the notice. - . - Termination of your rights under this section does not terminate the - licenses of parties who have received copies or rights from you under - this License. If your rights have been terminated and not permanently - reinstated, you do not qualify to receive new licenses for the same - material under section 10. - . - 9. Acceptance Not Required for Having Copies. - . - You are not required to accept this License in order to receive or - run a copy of the Program. Ancillary propagation of a covered work - occurring solely as a consequence of using peer-to-peer transmission - to receive a copy likewise does not require acceptance. However, - nothing other than this License grants you permission to propagate or - modify any covered work. These actions infringe copyright if you do - not accept this License. Therefore, by modifying or propagating a - covered work, you indicate your acceptance of this License to do so. - . - 10. Automatic Licensing of Downstream Recipients. - . - Each time you convey a covered work, the recipient automatically - receives a license from the original licensors, to run, modify and - propagate that work, subject to this License. You are not responsible - for enforcing compliance by third parties with this License. - . - An "entity transaction" is a transaction transferring control of an - organization, or substantially all assets of one, or subdividing an - organization, or merging organizations. If propagation of a covered - work results from an entity transaction, each party to that - transaction who receives a copy of the work also receives whatever - licenses to the work the party's predecessor in interest had or could - give under the previous paragraph, plus a right to possession of the - Corresponding Source of the work from the predecessor in interest, if - the predecessor has it or can get it with reasonable efforts. - . - You may not impose any further restrictions on the exercise of the - rights granted or affirmed under this License. For example, you may - not impose a license fee, royalty, or other charge for exercise of - rights granted under this License, and you may not initiate litigation - (including a cross-claim or counterclaim in a lawsuit) alleging that - any patent claim is infringed by making, using, selling, offering for - sale, or importing the Program or any portion of it. - . - 11. Patents. - . - A "contributor" is a copyright holder who authorizes use under this - License of the Program or a work on which the Program is based. The - work thus licensed is called the contributor's "contributor version". - . - A contributor's "essential patent claims" are all patent claims - owned or controlled by the contributor, whether already acquired or - hereafter acquired, that would be infringed by some manner, permitted - by this License, of making, using, or selling its contributor version, - but do not include claims that would be infringed only as a - consequence of further modification of the contributor version. For - purposes of this definition, "control" includes the right to grant - patent sublicenses in a manner consistent with the requirements of - this License. - . - Each contributor grants you a non-exclusive, worldwide, royalty-free - patent license under the contributor's essential patent claims, to - make, use, sell, offer for sale, import and otherwise run, modify and - propagate the contents of its contributor version. - . - In the following three paragraphs, a "patent license" is any express - agreement or commitment, however denominated, not to enforce a patent - (such as an express permission to practice a patent or covenant not to - sue for patent infringement). To "grant" such a patent license to a - party means to make such an agreement or commitment not to enforce a - patent against the party. - . - If you convey a covered work, knowingly relying on a patent license, - and the Corresponding Source of the work is not available for anyone - to copy, free of charge and under the terms of this License, through a - publicly available network server or other readily accessible means, - then you must either (1) cause the Corresponding Source to be so - available, or (2) arrange to deprive yourself of the benefit of the - patent license for this particular work, or (3) arrange, in a manner - consistent with the requirements of this License, to extend the patent - license to downstream recipients. "Knowingly relying" means you have - actual knowledge that, but for the patent license, your conveying the - covered work in a country, or your recipient's use of the covered work - in a country, would infringe one or more identifiable patents in that - country that you have reason to believe are valid. - . - If, pursuant to or in connection with a single transaction or - arrangement, you convey, or propagate by procuring conveyance of, a - covered work, and grant a patent license to some of the parties - receiving the covered work authorizing them to use, propagate, modify - or convey a specific copy of the covered work, then the patent license - you grant is automatically extended to all recipients of the covered - work and works based on it. - . - A patent license is "discriminatory" if it does not include within - the scope of its coverage, prohibits the exercise of, or is - conditioned on the non-exercise of one or more of the rights that are - specifically granted under this License. You may not convey a covered - work if you are a party to an arrangement with a third party that is - in the business of distributing software, under which you make payment - to the third party based on the extent of your activity of conveying - the work, and under which the third party grants, to any of the - parties who would receive the covered work from you, a discriminatory - patent license (a) in connection with copies of the covered work - conveyed by you (or copies made from those copies), or (b) primarily - for and in connection with specific products or compilations that - contain the covered work, unless you entered into that arrangement, - or that patent license was granted, prior to 28 March 2007. - . - Nothing in this License shall be construed as excluding or limiting - any implied license or other defenses to infringement that may - otherwise be available to you under applicable patent law. - . - 12. No Surrender of Others' Freedom. - . - If conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot convey a - covered work so as to satisfy simultaneously your obligations under this - License and any other pertinent obligations, then as a consequence you may - not convey it at all. For example, if you agree to terms that obligate you - to collect a royalty for further conveying from those to whom you convey - the Program, the only way you could satisfy both those terms and this - License would be to refrain entirely from conveying the Program. - . - 13. Remote Network Interaction; Use with the GNU General Public License. - . - Notwithstanding any other provision of this License, if you modify the - Program, your modified version must prominently offer all users - interacting with it remotely through a computer network (if your version - supports such interaction) an opportunity to receive the Corresponding - Source of your version by providing access to the Corresponding Source - from a network server at no charge, through some standard or customary - means of facilitating copying of software. This Corresponding Source - shall include the Corresponding Source for any work covered by version 3 - of the GNU General Public License that is incorporated pursuant to the - following paragraph. - . - Notwithstanding any other provision of this License, you have - permission to link or combine any covered work with a work licensed - under version 3 of the GNU General Public License into a single - combined work, and to convey the resulting work. The terms of this - License will continue to apply to the part which is the covered work, - but the work with which it is combined will remain governed by version - 3 of the GNU General Public License. - . - 14. Revised Versions of this License. - . - The Free Software Foundation may publish revised and/or new versions of - the GNU Affero General Public License from time to time. Such new versions - will be similar in spirit to the present version, but may differ in detail to - address new problems or concerns. - . - Each version is given a distinguishing version number. If the - Program specifies that a certain numbered version of the GNU Affero General - Public License "or any later version" applies to it, you have the - option of following the terms and conditions either of that numbered - version or of any later version published by the Free Software - Foundation. If the Program does not specify a version number of the - GNU Affero General Public License, you may choose any version ever published - by the Free Software Foundation. - . - If the Program specifies that a proxy can decide which future - versions of the GNU Affero General Public License can be used, that proxy's - public statement of acceptance of a version permanently authorizes you - to choose that version for the Program. - . - Later license versions may give you additional or different - permissions. However, no additional obligations are imposed on any - author or copyright holder as a result of your choosing to follow a - later version. - . - 15. Disclaimer of Warranty. - . - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY - APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT - HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY - OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, - THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM - IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP +License: GPL-3+-with-additional-terms-1 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + . + ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + . + 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its + entirety and replaced with the following: + . + 15. Disclaimer of Warranty. + . + THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING + DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR + REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 16. Limitation of Liability. + 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its + entirety and replaced with the following: . - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING - WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS - THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY - GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE - USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF - DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD - PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), - EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. + 16. LIMITATION OF LIABILITY. . - 17. Interpretation of Sections 15 and 16. + UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY + OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE + LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY + DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, + INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN + CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH + THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE + PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER + OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH + DAMAGES COULD HAVE BEEN FORESEEN. . - If the disclaimer of warranty and limitation of liability provided - above cannot be given local legal effect according to their terms, - reviewing courts shall apply local law that most closely approximates - an absolute waiver of all civil liability in connection with the - Program, unless a warranty or assumption of liability accompanies a - copy of the Program in return for a fee. + 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully + all trademark, copyright and other proprietary and legal notices on any copies + of the Program or any other required author attributions. This license does not + grant you rights to use any copyright holder or any other party's name, logo, or + trademarks. Neither the name of the copyright holder or its affiliates, or any + other party who modifies and/or conveys the Program may be used to endorse or + promote products derived from this software without specific prior written + permission. The origin of the Program must not be misrepresented; you must not + claim that you wrote the original Program. Altered source versions must be + plainly marked as such, and must not be misrepresented as being the original + Program. . - END OF TERMS AND CONDITIONS - . - How to Apply These Terms to Your New Programs - . - If you develop a new program, and you want it to be of the greatest - possible use to the public, the best way to achieve this is to make it - free software which everyone can redistribute and change under these terms. - . - To do so, attach the following notices to the program. It is safest - to attach them to the start of each source file to most effectively - state the exclusion of warranty; and each file should have at least - the "copyright" line and a pointer to where the full notice is found. - . - - Copyright (C) - . - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - . - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . - . - Also add information on how to contact you by electronic and paper mail. - . - If your software can interact with users remotely through a computer - network, you should also make sure that it provides a way for users to - get its source. For example, if your program is a web application, its - interface could display a "Source" link that leads users to an archive - of the code. There are many ways you could offer source, and different - solutions will be better for different programs; see section 13 for the - specific requirements. - . - You should also get your employer (if you work as a programmer) or school, - if any, to sign a "copyright disclaimer" for the program, if necessary. - For more information on this, and how to apply and follow the GNU AGPL, see - . + 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT + OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, + YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND + AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF + ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE + ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR + IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. diff --git a/GPLv3 b/GPLv3 new file mode 100644 index 0000000..94a9ed0 --- /dev/null +++ b/GPLv3 @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/README.md b/README.md index 03e54f9..0335f8b 100644 --- a/README.md +++ b/README.md @@ -1,639 +1,284 @@ # Enhances miscellaneous security settings -Note that all the security features seen in this repository may not yet be incorporated into a public Kicksecure/Whonix release. Refer to the [forums](https://forums.kicksecure.com/c/news/5) with accompanying dates to see what is actually included in the most recent release. - ## Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP). It -attempts to implement all recommended Linux kernel settings by the KSPP and -many more sources. +implements all recommended Linux kernel settings by the KSPP and many +more. -- https://kspp.github.io/Recommended_Settings -- https://github.com/KSPP/kspp.github.io +* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project ### sysctl -sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file and significant hardening is applied to a myriad of components. +sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` +configuration file. -#### Kernel space +* A kernel pointer points to a specific location in kernel memory. These +can be very useful in exploiting the kernel so they are restricted to `CAP_SYSLOG`. -- Restrict access to kernel addresses through the use of kernel pointers regardless - of user privileges. +* The kernel logs are restricted to `CAP_SYSLOG` as they can often leak sensitive +information such as kernel pointers. -- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain - sensitive information. +* The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. -- Prevent kernel information leaks in the console during boot. +* eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior +to 5.8) and JIT hardening techniques such as constant blinding are enabled. -- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs - by unprivileged users. +* Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel +versions prior to 5.8). -- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. +* Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent unprivileged +attackers from loading vulnerable line disciplines with the `TIOCSETD` ioctl which +has been abused in a number of exploits before. -- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the - likelihood of use-after-free exploits. +* Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` is +often abused to exploit use-after-free flaws. -- Disable `kexec` as it can be used to replace the running kernel. +* Kexec is disabled as it can be used to load a malicious kernel and gain +arbitrary code execution in kernel mode. -- Entirely disable the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). +* The bits of entropy used for mmap ASLR are increased, therefore improving +its effectiveness. -- Optional - Disable all use of user namespaces. +* Prevents unintentional writes to attacker-controlled files. -- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. +* Prevents common symlink and hardlink TOCTOU races. -- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. +* Restricts the SysRq key so it can only be used for shutdowns and the +Secure Attention Key. -- Force the kernel to immediately panic on both "oopses" (which can potentially indicate - and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. +* The kernel is only allowed to swap if it is absolutely necessary. This +prevents writing potentially sensitive contents of memory to disk. -- Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of denial-of-service attacks and both cold and warm boot attacks. - -- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting - will force an immediate system reboot as opposed to placing any reliance on the oom_killer - to avoid arbitrarily terminating security features based on their OOM score. Note this - creates the risk of userspace-based denial-of-service attacks that maliciously fill memory. - -- Optional - Force immediate kernel panics upon receiving NMIs (Non-Maskable Interrupts) - triggered by serious hardware-level I/O issues, uncorrectable memory and hardware errors, - and undefined or unknown sources in order to prevent data corruption. - -- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - -- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. - -- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - -#### User space - -- Disable the usage of `ptrace()` by all processes as it enables programs to inspect - and modify other active processes. - -- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. - -- Prevent hardlink and symlink TOCTOU races in world-writable directories. - -- Disallow unintentional writes to files in world-writable directories unless - they are owned by the directory owner to mitigate some data spoofing attacks. - -- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - -- Raise the minimum address a process can request for memory mapping to 64KB to - protect against kernel null pointer dereference vulnerabilities. - -- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576. - -- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based - on a magic number or their file extension to prevent unintended code execution. - See issue: https://github.com/Kicksecure/security-misc/issues/267 - -#### Core dumps - -- Disable core dump files and prevent their creation. If core dump files are - enabled, they will be named based on `core.PID` instead of the default `core`. - -#### Swap space - -- Limit the copying of potentially sensitive content in memory to the swap device. - -#### Networking - -- Enable hardening of the BPF JIT compiler to protect against JIT spraying. - -- Enable TCP SYN cookie protection to assist against SYN flood attacks. - -- Protect against TCP time-wait assassination hazards. - -- Enable reverse path filtering (source validation) of packets received - from all interfaces to prevent IP spoofing. - -- Disable ICMP redirect acceptance and redirect sending messages to prevent - man-in-the-middle attacks and minimize information disclosure. - -- Deny sending and receiving shared media redirects to reduce the risk of IP - spoofing attacks. - -- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - -- Respond to ARP requests only if the target IP address is on-link, - preventing some IP spoofing attacks. - -- Drop gratuitous ARP packets to prevent ARP cache poisoning via - man-in-the-middle and denial-of-service attacks. - -- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - -- Ignore bogus ICMP error responses. - -- Disable source routing which allows users to redirect network traffic that - can result in man-in-the-middle attacks. - -- Do not accept IPv6 router advertisements (RAs) and solicitations which can result - in both man-in-the-middle and denial-of-service attacks. - -- Optional - Disable SACK and DSACK as they have historically been a known - vector for exploitation. - -- Disable TCP timestamps as they can allow detecting the system time. - -- Disable reuse of `TIME_WAIT` sockets for new outgoing connections as the above - setting disables TCP timestamps. - -- Log packets with impossible source or destination addresses to enable further - inspection and analysis. - -- Optional - Enable IPv6 Privacy Extensions. - -- Documentation: https://www.kicksecure.com/wiki/Networking +* TCP timestamps are disabled as it can allow detecting the system time. ### Boot parameters -Mitigations for known CPU vulnerabilities are enabled in their strictest form -and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. - -Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto` -kernel boot parameter to perform CPU mitigations like many other distributions. This is -because its use is both totally redundant and it does not apply all hardening settings -to their strictest possible levels. See issue: -https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859. - -Note, to achieve complete protection for known CPU vulnerabilities, the latest -security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, -if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept -up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates. - -CPU mitigations: - -- Disable Simultaneous Multithreading (SMT) - -- Spectre Side Channels (BTI and BHI) - -- Meltdown - -- Speculative Store Bypass (SSB) - -- L1 Terminal Fault (L1TF) - -- Microarchitectural Data Sampling (MDS) - -- TSX Asynchronous Abort (TAA) - -- iTLB Multihit - -- Special Register Buffer Data Sampling (SRBDS) - -- L1D Flushing - -- Processor MMIO Stale Data - -- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) - -- Cross-Thread Return Address Predictions - -- Speculative Return Stack Overflow (SRSO) - -- Gather Data Sampling (GDS) - -- Register File Data Sampling (RFDS) - -- Indirect Target Selection (ITS) - -- VMScape - -Boot parameters relating to kernel hardening, DMA mitigations, and entropy -generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` +Boot parameters are configured via the `/etc/modprobe.d/30_security-misc.conf` configuration file. -Kernel space: +* Slab merging is disabled which significantly increases the difficulty of +heap exploitation by preventing overwriting objects from merged caches and +by making it harder to influence slab cache layout. -- Disable merging of slabs with similar size, which reduces the risk of - triggering heap overflows and limits influencing slab cache layout. +* Sanity checks are enabled which add various checks to prevent corruption +in certain slab operations. -- Enable sanity checks and red zoning via slab debugging. This will implicitly - disable kernel pointer hashing, leaking very sensitive information to root. - Re-enabling hashed pointers will be possible when using Linux kernel >= 6.17. - https://github.com/Kicksecure/security-misc/issues/253 +* Redzoning is enabled which adds extra areas around slabs that detect when +a slab is overwritten past its real size which can help detect overflows. -- Enable memory zeroing at both allocation and free time, which mitigates some - use-after-free vulnerabilities by erasing sensitive information in memory. +* Memory zeroing at allocation and free time is enabled to mitigate some +use-after-free vulnerabilities and erase sensitive information in memory. -- Enable the kernel page allocator to randomize free lists to limit some data - exfiltration and ROP attacks, especially during the early boot process. +* Page allocator freelist randomization is enabled. -- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase - KASLR effectiveness and also mitigate the Meltdown CPU vulnerability. +* The machine check tolerance level is decreased which makes the kernel panic +on uncorrectable errors in ECC memory that could be exploited. -- Enable randomization of the kernel stack offset on syscall entries to harden - against memory corruption attacks. +* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase +KASLR effectiveness. -- Disable vsyscalls as they are vulnerable to ROP attacks and have now been - replaced by vDSO. +* vsyscalls are disabled as they are obsolete, are at fixed addresses and thus, +are a potential target for ROP. -- Restrict access to debugfs by not registering the file system since it can - contain sensitive information. +* The kernel panics on oopses to thwart certain kernel exploits. -- Force the kernel to immediately panic on both "oopses" (which can potentially indicate - and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. +* All mitigations for known CPU vulnerabilities are enabled and SMT is +disabled. -- Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of denial-of-service attacks and both cold and warm boot attacks. +* IOMMU is enabled to prevent DMA attacks. -- Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include - upon using out of specification hardware, bad page states, ACPI tables being overridden, - severe firmware bugs, in-kernel tests run, or mutating fwctl debug operations. It can also - include the loading of proprietary or out-of-tree modules. +### Blacklisted kernel modules -- Prevent sensitive kernel information leaks in the console during boot. +Certain kernel modules are blacklisted to reduce attack surface via the +`/etc/modprobe.d/30_security-misc.conf` configuration file. -- Enable the kernel Electric-Fence sampling-based memory safety error detector - which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. +* Deactivates Netfilter's connection tracking helper — this module +increases kernel attack surface by enabling superfluous functionality +such as IRC parsing in the kernel. Hence, this feature is disabled. -- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. +* Uncommon network protocols are blacklisted. This includes: -- Use kCFI as the default CFI implementation as it is more resilient to attacks that are - able to write arbitrary executables into memory omitting the necessary hash validation. + DCCP - Datagram Congestion Control Protocol -- Disable support for all 32-bit x86 processes and syscalls to reduce attack surface. + SCTP - Stream Control Transmission Protocol -- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs - and other persistent data to either the UEFI variable storage or ACPI ERST backends. + RDS - Reliable Datagram Sockets -- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against - cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation. + TIPC - Transparent Inter-process Communication -- Prevent runaway privileged processes from writing to block devices that are mounted by - filesystems to protect against filesystem corruption and kernel crashes. + HDLC - High-Level Data Link Control -- Restrict processes from modifying their own memory mappings unless actively done via - `ptrace()` in order to limit self-modification which can trigger exploits. + AX25 - Amateur X.25 -Direct memory access: + NetRom -- Enable strict IOMMU translation to protect against some DMA attacks via the use - of both CPU manufacturer-specific drivers and kernel settings. + X25 -- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables - DMA before the IOMMU is configured. May cause boot failure on certain hardware. + ROSE -Entropy: + DECnet -- Do not credit the CPU seeds as an entropy source at boot in order to maximize the - absolute quantity of entropy in the combined pool. This is desirable for all - cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU - instructions for random number generation that have long history of being defective. + Econet -- Do not credit the bootloader seeds as an entropy source at boot to maximize the - absolute quantity of entropy in the combined pool. This is desirable for all - cryptographic operations as seeds passed by the bootloader could be tampered. + af_802154 - IEEE 802.15.4 -- Obtain more entropy at boot from RAM as the runtime memory allocator is - being initialized. + IPX - Internetwork Packet Exchange -- Obtain more entropy at boot from RAM as the runtime memory allocator is being - initialized to maximize the absolute quantity of entropy in the combined pool. + AppleTalk -Networking: + PSNAP - Subnetwork Access Protocol -- Optional - Disable the entire IPv6 stack to reduce attack surface. + p8023 - Novell raw IEEE 802.3 -### mmap ASLR + p8022 - IEEE 802.2 -- The bits of entropy used for mmap ASLR for all CPU architectures are maxed - out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. + CAN — Controller Area Network -### Kernel Self Protection Project (KSPP) compliance status + ATM -**Summary:** +* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has +a history of security concerns. -`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, -there are a few cases of partial or non-compliance due to technical limitations. +* The Thunderbolt and FireWire kernel modules are blacklisted as they are +often vulnerable to DMA attacks. -* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) +* The vivid kernel module is only required for testing and has been the cause +of multiple vulnerabilities so it is blacklisted. -**Full compliance:** - -More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with -the KSPP's recommendations. - -**Non-compliance:** - -1. `sysctl user.max_user_namespaces=0` - -Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. - -* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) - -2. `sysctl fs.binfmt_misc.status=0` - -Disables the registration of interpreters for miscellaneous binary formats. Currently not -feasible due to compatibility issues with Firefox. - -* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) -* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) - -3. Kernel boot parameter `hash_pointers=always` - -Force all exposed pointers to be hashed and must be used in combination with the already enabled -`slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17. - -* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) -* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) - -### Kernel Modules - -#### Kernel Module Signature Verification - -Not yet implemented due to issues: - -- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 -- https://github.com/dell/dkms/issues/359 - -See: - -- `/etc/default/grub.d/40_signed_modules.cfg` - -#### Disables the loading of new modules to the kernel after the fact - -Not yet implemented due to issues: - -- https://github.com/Kicksecure/security-misc/pull/152 - -A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, -preventing new modules from being loaded. Since this isn't configured directly -within systemctl, it does not break the loading of legitimate and necessary -modules for the user, like drivers etc., given they are plugged in on startup. - -#### Blacklist and disable kernel modules - -Conntrack: Deactivates Netfilter's connection tracking helper module which -increases kernel attack surface by enabling superfluous functionality such -as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`. - -Certain kernel modules are blacklisted by default to reduce attack surface via -`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel -modules from automatically starting. - -- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. - -- Miscellaneous: Blacklist an assortment of other modules to prevent them from - automatically loading. - -Specific kernel modules are entirely disabled to reduce attack surface via -`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel -modules from starting. This approach should not be considered comprehensive; -rather, it is a form of badness enumeration. Any potential candidates for future -disabling should first be blacklisted for a suitable amount of time. - -Hardware modules: - -- Optional - Bluetooth: Disabled to reduce attack surface. - -- Optional - CPU MSRs: Disabled as can be abused to access other trust domains - and write to arbitrary memory. - -- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. - -- GPS: Disable GPS-related modules such as those required for Global Navigation - Satellite Systems (GNSS). - -- Optional - Intel Management Engine (ME): Provides some disabling of the interface - between the Intel ME and the OS. May lead to breakages in places such as firmware - updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 - -- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality - of the Intel PMT components. - -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. - -File system modules: - -- File Systems: Disable uncommon and legacy file systems. - -- Network File Systems: Disable uncommon and legacy network file systems. - -Networking modules: - -- Network Protocols: A wide array of uncommon and legacy network protocols and drivers - are disabled. - -Miscellaneous modules: - -- Amateur Radios: Disabled to reduce attack surface. - -- Floppy Disks: Disabled to reduce attack surface. - -- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - -- Joysticks: Disabled to reduce attack surface. - -- Replaced Modules: Disabled legacy drivers that have been entirely replaced and - superseded by newer drivers. - -- RNDIS - Disabled as believed to have unfixable buffer overflow issues. - -- Optional - USB Video Device Class: Disables the USB-based video streaming driver for - devices like some webcams and digital camcorders. - -- Optional - Vivid: Disabled to reduce attack surface given previous vulnerabilities. +* The MSR kernel module is blacklisted to prevent CPU MSRs from being +abused to write to arbitrary memory. ### Other -- A systemd service clears the System.map file on boot as these contain kernel - pointers. The file is completely overwritten with zeroes to ensure it cannot - be recovered. See: +* A systemd service clears the System.map file on boot as these contain kernel +pointers. The file is completely overwritten with zeroes to ensure it cannot +be recovered. See: `/etc/kernel/postinst.d/30_remove-system-map` -`/usr/lib/systemd/system/remove-system-map.service` +`/lib/systemd/system/remove-system-map.service` `/usr/libexec/security-misc/remove-system.map` -- Coredumps are disabled as they may contain important information such as - encryption keys or passwords. See: +* Coredumps are disabled as they may contain important information such as +encryption keys or passwords. See: `/etc/security/limits.d/30_security-misc.conf` -`/usr/lib/sysctl.d/30_security-misc.conf` +`/etc/sysctl.d/30_security-misc.conf` -`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf` +`/lib/systemd/coredump.conf.d/30_security-misc.conf` -- PStore is disabled as crash logs can contain sensitive system data such as - kernel version, hostname, and users. See: - - `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` - -- An initramfs hook used to set the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as - early as possible. This was implemented for `initramfs-tools` only because - this is not needed for `dracut` as `dracut` does that by default, at - least on `systemd` enabled systems. Not researched for non-`systemd` systems - by the author of this part of the readme. This is no longer implemented for - `initramfs-tools` as `initramfs-tools` support has been deprecated. +* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and +`/etc/sysctl.d` before init is executed so sysctl hardening is enabled +as early as possible. ## Network hardening -Not yet implemented due to issues: +* TCP syncookies are enabled to prevent SYN flood attacks. -- https://github.com/Kicksecure/security-misc/pull/145 +* ICMP redirect acceptance, ICMP redirect sending, source routing and +IPv6 router advertisements are disabled to prevent man-in-the-middle attacks. -- https://github.com/Kicksecure/security-misc/issues/184 +* The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, +make the device more difficult to enumerate on the network and prevent clock +fingerprinting through ICMP timestamps. -- Unlike version 4, IPv6 addresses can provide information not only about the - originating network but also the originating device. We prevent this from - happening by enabling the respective privacy extensions for IPv6. +* RFC1337 is enabled to protect against time-wait assassination attacks by +dropping RST packets for sockets in the time-wait state. -- In addition, we deny the capability to track the originating device in the - network at all, by using randomized MAC addresses per connection by - default. - -See: - -- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` -- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` -- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` - -## Bluetooth Hardening - -### Bluetooth Status: Enabled but Defaulted to Off - -- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, - security-misc-desktop deviates from the usual behavior by starting with - Bluetooth turned off at system start. This setting remains until the user - explicitly opts to activate Bluetooth. - -- **User Control**: Users have the freedom to easily switch Bluetooth on and off - in the usual way, exercising their own discretion. This can be done via the - Bluetooth toggle through the usual way, that is either through GUI settings - application or command line commands. - -- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth - connections. This includes the use of private addresses and strict timeout - settings for discoverability and visibility. - -- **Security Considerations**: Despite these measures, it's important to note that - Bluetooth technology, by its nature, may still be prone to exploits due to its - history of security vulnerabilities. Thus, we recommend users to opt-out of - using Bluetooth when possible. - -### Configuration Details - -- See configuration: `/etc/bluetooth/30_security-misc.conf` -- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145) - -### Understanding Bluetooth Terms - -- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. - When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, - configured, or interacted with in any way. - -- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on - Debian systems, Bluetooth is 'on' when the system boots up. It actively searches - for known devices to auto-connect and may be discoverable or visible under certain - conditions. Our default ensures that Bluetooth is off on startup. However, it - remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol - and has the necessary modules. - -### Quick Toggle Guide - -- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings - application or on the tray, and switch the toggle. It's a straightforward action - that can be completed in less than a second. - -- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch - the toggle to the off position. +* Reverse path filtering is enabled to prevent IP spoofing and mitigate +vulnerabilities such as CVE-2019-14899. ## Entropy collection improvements -- The `jitterentropy_rng` kernel module is loaded as early as possible during - boot to gather more entropy via the - `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. +* The `jitterentropy_rng` kernel module is loaded as early as possible +during boot to gather more entropy via the +`/usr/lib/modules-load.d/30_security-misc.conf` configuration file. -- Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. Similarly, do not credit the - bootloader seed for initial entropy. For references, see: - `/etc/default/grub.d/40_kernel_hardening.cfg` +* Distrusts the CPU for initial entropy at boot as it is not possible to +audit, may contain weaknesses or a backdoor. For references, see: +`/etc/default/grub.d/40_distrust_cpu.cfg` -- Gathers more entropy during boot if using the linux-hardened kernel patch. +* Gathers more entropy during boot if using the linux-hardened kernel patch. ## Restrictive mount options -A systemd service is triggered on boot to remount all sensitive partitions and -directories with significantly more secure hardened mount options. Since this -would require manual tuning for a given specific system, we handle it by -creating a very solid configuration file for that very system on package -installation. - Not enabled by default yet. In development. Help welcome. -- https://www.kicksecure.com/wiki/Dev/remount-secure -- https://github.com/Kicksecure/security-misc/issues/157 -- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ +https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ + +`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev` +mount options to prevent execution of setuid or setgid binaries and creation of +devices on those filesystems. + +Optionally, they can also be mounted with `noexec` to prevent execution of any +binary. To opt-in to applying `noexec`, execute `touch /etc/noexec` as root +and reboot. + +To disable this, execute `touch /etc/remount-disable` as root. + +Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec` +could be used. ## Root access restrictions -- `su` is restricted to only users within the group `sudo` which prevents - users from using `su` to gain root access or to switch user accounts - - `/usr/share/pam-configs/wheel-security-misc` (which results in a change in - file `/etc/pam.d/common-auth`). +* `su` is restricted to only users within the group `sudo` which prevents +users from using `su` to gain root access or to switch user accounts — +`/usr/share/pam-configs/wheel-security-misc` +(which results in a change in file `/etc/pam.d/common-auth`). -- Add user `root` to group `sudo`. This is required due to the above - restriction so that logging in from a virtual console is still possible - - `debian/security-misc.postinst` +* Add user `root` to group `sudo`. This is required due to the above restriction so +that logging in from a virtual console is still possible — `debian/security-misc.postinst` -- Abort login for users with locked passwords - - `/usr/libexec/security-misc/pam-abort-on-locked-password`. +* Abort login for users with locked passwords — +`/usr/libexec/security-misc/pam-abort-on-locked-password`. -- Logging into the root account from a virtual, serial, or other console is - prevented by shipping an existing and empty `/etc/securetty` file (deletion - of `/etc/securetty` has a different effect). +* Logging into the root account from a virtual, serial, whatnot console is +prevented by shipping an existing and empty `/etc/securetty` file +(deletion of `/etc/securetty` has a different effect). -This package does not yet automatically lock the root account password. It is -not clear if this would be sane in such a package, although it is recommended to -lock and expire the root account. +This package does not yet automatically lock the root account password. It +is not clear if this would be sane in such a package although, it is recommended +to lock and expire the root account. -In new Kicksecure builds, the root account will be locked by package +In new Whonix builds, root account will be locked by package dist-base-files. See: -- https://www.kicksecure.com/wiki/Root -- https://www.kicksecure.com/wiki/Dev/Permissions -- https://forums.whonix.org/t/restrict-root-access/7658 +* https://www.whonix.org/wiki/Root +* https://www.whonix.org/wiki/Dev/Permissions +* https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore, this package enables passwordless rescue and emergency shell. This is -the same solution that Debian will likely adopt for the Debian installer: -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 +Therefore, this package enables passwordless rescue and emergency shell. +This is the same solution that Debian will likely adapt for Debian +installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 See: -- `/etc/systemd/system/emergency.service.d/override.conf` -- `/etc/systemd/system/rescue.service.d/override.conf` +* `/etc/systemd/system/emergency.service.d/override.conf` +* `/etc/systemd/system/rescue.service.d/override.conf` -Adverse security effects can be prevented by setting up [BIOS Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#BIOS_Password) -protection, [Bootloader Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Bootloader_Password) protection, and/or [Full Disk Encryption (FDE)](https://www.kicksecure.com/wiki/Full_Disk_Encryption). +Adverse security effects can be prevented by setting up BIOS password +protection, GRUB password protection and/or full disk encryption. ## Console lockdown -This uses pam_access to allow members of group `console` to use the console but +This uses pam_access to allow members of group `console` to use console but restrict everyone else (except members of group `console-unrestricted`) from -using the console with ancient, unpopular login methods such as `/bin/login` over -networks as this might be exploitable. (CVE-2001-0797) +using console with ancient, unpopular login methods such as `/bin/login` +over networks as this might be exploitable. (CVE-2001-0797) -This is not enabled by default in this package since this package does not know -which users should be added to group 'console' and thus, would break console access. +This is not enabled by default in this package since this package does not +know which users shall be added to group 'console' and thus, would break console. See: -- `/usr/share/pam-configs/console-lockdown-security-misc` -- `/etc/security/access-security-misc.conf` +* `/usr/share/pam-configs/console-lockdown-security-misc` +* `/etc/security/access-security-misc.conf` ## Brute force attack protection @@ -641,110 +286,56 @@ User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: -- Show failed and remaining password attempts. -- Document unlock procedure if Linux user account got locked. -- Point out that there is no password feedback for `su`. -- Explain locked root account if locked. +* Show failed and remaining password attempts. +* Document unlock procedure if Linux user account got locked. +* Point out that there is no password feedback for `su`. +* Explain locked root account if locked. See: -- `/usr/share/pam-configs/tally2-security-misc` -- `/usr/libexec/security-misc/pam-info` -- `/usr/libexec/security-misc/pam-abort-on-locked-password` +* `/usr/share/pam-configs/tally2-security-misc` +* `/usr/libexec/security-misc/pam-info` +* `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions ### Strong user account separation -#### Permission Lockdown - -Read, write, and execute access for "others" are removed during package -installation, upgrade, or PAM `mkhomedir` for all users who have home folders in -`/home` by running, for example: +Read, write and execute access for "others" are removed during package +installation, upgrade or PAM `mkhomedir` for all users who have home +folders in `/home` by running, for example: ``` chmod o-rwx /home/user ``` -This will be done only once per folder in `/home` so users who wish to relax -file permissions are free to do so. This is to protect files in a home folder -that were previously created with lax file permissions prior to the installation -of this package. +This will be done only once per folder in `/home` so users who wish to +relax file permissions are free to do so. This is to protect files in a +home folder that were previously created with lax file permissions prior +to the installation of this package. See: -- `debian/security-misc.postinst` -- `/usr/libexec/security-misc/permission-lockdown` -- `/usr/share/pam-configs/mkhomedir-security-misc` - -#### umask - -The default `umask` is set to `027` for files created by non-root users, such -as the account `user`. - -This is done using the PAM module `pam_mkhomedir.so umask=027`. - -This configuration ensures that files created by non-root users cannot be read -by other non-root users by default. While Permission Lockdown already protects -the `/home` folder, this setting extends protection to other folders such as -`/tmp`. - -`group` read permissions are not removed. This is unnecessary due to Debian's -use of User Private Groups (UPGs). See also: -https://wiki.debian.org/UserPrivateGroups - -The default `umask` is unchanged for root because configuration files created -in `/etc` by the system administrator would otherwise be unreadable by -"others," potentially breaking applications. Examples include `/etc/firefox-esr` -and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers` -configuration, ensuring that files created as root are world-readable, even -when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`. - -When using `sudo`, the `umask` is set to `022` rather than `027` to ensure -compatibility with commands such as `sudo vi /etc/configfile` and -`sudo -i; touch /etc/file`. - -See: - -- `/usr/share/pam-configs/umask-security-misc` +* `debian/security-misc.postinst` +* `/usr/libexec/security-misc/permission-lockdown` +* `/usr/share/pam-configs/mkhomedir-security-misc` ### SUID / SGID removal and permission hardening -#### SUID / SGID removal +Not enabled by default yet. -A systemd service removes SUID / SGID bits from non-essential binaries as these -are often used in privilege escalation attacks. - -#### File permission hardening - -Various file permissions are reset with more secure and hardened defaults. These -include but are not limited to: - -- Limiting `/home` and `/root` to the root only. -- Limiting crontab to root as well as all the configuration files for cron. -- Limiting the configuration for cups and ssh. -- Protecting the information of sudoers from others. -- Protecting various system-relevant files and modules. - -##### permission-hardener - -`permission-hardener` removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. It is enabled by default -and applied at security-misc package installation and upgrade time. - -There is also an optional systemd unit which does the same at boot time that -can be enabled by running `systemctl enable permission-hardener.service` as -root. The hardening at boot time is not the default because this slows down -the boot process too much. +A systemd service removes SUID / SGID bits from non-essential binaries as +these are often used in privilege escalation attacks. It is disabled by +default for now during testing and can optionally be enabled by running +`systemctl enable permission-hardening.service` as root. See: -* `/usr/bin/permission-hardener` -* `debian/security-misc.postinst` -* `/lib/systemd/system/permission-hardener.service` -* `/etc/permission-hardener.d` +* `/usr/libexec/security-misc/permission-hardening` +* `/lib/systemd/system/permission-hardening.service` +* `/etc/permission-hardening.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 -* https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener +* https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener ### Access rights relaxations @@ -759,203 +350,93 @@ See: * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 * https://forums.whonix.org/t/cannot-use-pkexec/8129 -## Emergency shutdown - -- Forcibly powers off the system if the drive the system booted from is - removed from the system. -- Forcibly powers off the system if a user-configurable "panic key sequence" - is pressed (Ctrl+Alt+Delete by default). -- Forcibly powers off the system if - `sudo /run/emerg-shutdown --instant-shutdown` is called. -- Optional - Forcibly powers off the system if shutdown gets stuck for longer - than a user-configurable number of seconds (30 by default). Requires tuning - by the user to function properly, see notes in - `/etc/security-misc/emerg-shutdown/30_security_misc.conf`. - ## Application-specific hardening -- `sudo`: Enables "`Defaults !fqdn`", which disables attempts to - determine the local machine's FQDN via DNS as this can leak the machine's - hostname in cleartext to the configured DNS server and cause - `sudo unable to resolve host` errors. `security-misc-desktop` only. Not - enabled on `security-misc-server` since there has been no research yet if - this can break server use cases. -- `apt`: Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -- `apt`: Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -- `Dolphin`: Deactivates previews in Dolphin. -- `Nautilus`: Deactivates previews in Nautilus - - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -- `Thunar`: Deactivates thumbnails in Thunar. - - Rationale: lower attack surface when using the file manager - - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 -- `gnupg`: Security and privacy enhancements for gnupg's config file - `/etc/skel/.gnupg/gpg.conf`. See also: - - https://raw.github.com/ioerror/torbirdy/master/gpg.conf - - https://github.com/ioerror/torbirdy/pull/11 -- `SSH client`: Hardens SSH client - `/etc/ssh/ssh_config.d/30_security-misc.conf` -- `SSH server`: Hardens SSH server - `/etc/ssh/sshd_config.d/30_security-misc.conf` -- `flatpak`: Configures flatpak to require authentication for all software installation - and management tasks including updates. Ships - `/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc`, - diverts/hides `/usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules`. +* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. — `/etc/apt/apt.conf.d/40error-on-any`. +* Enables APT seccomp-BPF sandboxing — `/etc/apt/apt.conf.d/40sandbox`. +* Deactivates previews in Dolphin. +* Deactivates previews in Nautilus — +`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +* Deactivates thumbnails in Thunar. +* Displays domain names in punycode (`network.IDN_show_punycode`) in +Thunderbird to prevent IDN homograph attacks (a form of phishing). +* Security and privacy enhancements for gnupg's config file +`/etc/skel/.gnupg/gpg.conf`. See also: -### Project scope of application-specific hardening +https://raw.github.com/ioerror/torbirdy/master/gpg.conf -Added in December 2023. - -Before sending pull requests to harden arbitrary applications, please note the -scope of security-misc is limited to default installed applications in -Kicksecure and Whonix. This includes: - -- VLC Media Player, KeePassXC -- Debian Specific System Components (APT, DPKG) -- System Services (NetworkManager IPv6 privacy options, MAC address - randomization) -- Actually used development utilities such as `git`. - -It will not be possible to review and merge "1500" settings profiles for -arbitrary applications outside of this context. - -The main objective of security-misc is to harden Kicksecure and its derivatives, -such as Whonix, by implementing robust security settings. It's designed to be -compatible with Debian, reflecting a commitment to clean implementation and -sound design principles. However, it's important to note that security-misc is a -component of Kicksecure, not a substitute for it. The intention isn't to -recreate Kicksecure within security-misc. Instead, specific security -enhancements, like recommending a curated list of security-focused -default packages (e.g., `libpam-tmpdir`), should be integrated directly into -those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). - -Discussion: https://github.com/Kicksecure/security-misc/issues/154 - -### Development philosophy - -Added in December 2023. - -Maintainability is a key priority \[1\]. Before modifying settings in the -downstream security-misc, it's essential to first engage with upstream -developers to propose these changes as defaults. This step should only be -bypassed if there's a clear, prior indication from upstream that such changes -won't be accepted. Additionally, before implementing any workarounds, consulting -with upstream is necessary to avoid future unmaintainable complexity. - -If debugging features are disabled, pull requests won't be merged until there is -a corresponding pull request for the debug-misc package to re-enable these. This -is to avoid configuring the system into a corner where it can no longer be -debugged. - -\[1\] https://www.kicksecure.com/wiki/Dev/maintainability +https://github.com/ioerror/torbirdy/pull/11 ## Opt-in hardening Some hardening is opt-in as it causes too much breakage to be enabled by default. -- An optional systemd service mounts `/proc` with `hidepid=2` at boot to - prevent users from seeing another user's processes. This is disabled by - default because it is incompatible with `pkexec`. It can be enabled by - executing `systemctl enable proc-hidepid.service` as root. +* TCP SACK can be disabled as it is commonly exploited and is rarely used by +uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf` +configuration file. -- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and - `/sys` to the root user. This hides a lot of hardware identifiers from - unprivileged users and increases security as `/sys` exposes a lot of - information that shouldn't be accessible to unprivileged users. As this will - break many things, it is disabled by default and can optionally be enabled - by executing `systemctl enable hide-hardware-info.service` as root. +* An optional systemd service mounts `/proc` with `hidepid=2` at boot to +prevent users from seeing another user's processes. This is disabled by +default because it is incompatible with `pkexec`. It can be enabled by +executing `systemctl enable proc-hidepid.service` as root. -## Miscellaneous +* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and +`/sys` to the root user. This hides a lot of hardware identifiers from +unprivileged users and increases security as `/sys` exposes a lot of +information that shouldn't be accessible to unprivileged users. As this will +break many things, it is disabled by default and can optionally be enabled by +executing `systemctl enable hide-hardware-info.service` as root. -- Hardened malloc compatibility for haveged workaround - `/lib/systemd/system/haveged.service.d/30_security-misc.conf` +## miscellaneous -- Set `dracut` `reproducible=yes` setting +* hardened malloc compatibility for haveged workaround +`/lib/systemd/system/haveged.service.d/30_security-misc.conf` -## Legal - -`/usr/lib/issue.d/20_security-misc.issue` - -https://github.com/Kicksecure/security-misc/pull/167 - -## Package split - -The `security-misc` source code repository builds three different software packages: - -* `security-misc-shared` -* `security-misc-desktop` -* `security-misc-server` - -The guiding principle has been: if there are no adverse effects, or if it is unclear whether a file belongs in the `desktop` or `server` package, then it will be placed in the `shared` package. - -The hash symbol ("`#`") is used as a separator character. - -Some clear examples where files belong only in `security-misc-desktop`: - -* `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy#security-misc-desktop.conf` -* `/usr/lib/NetworkManager/conf.d/80_randomize-mac#security-misc-desktop.conf` -* `./usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop` - -This is because enabling IPv6 privacy extensions or MAC randomization on a server will not increase privacy but instead carries a high risk of breaking connectivity. - -A less clear example is `/etc/bluetooth/30_security-misc.conf#security-misc-desktop`. Also refer to the above chapter "Bluetooth Hardening". A server usually doesn't have Bluetooth, so on a server it may instead be useful to fully disable Bluetooth. - -Some clear examples where files belong only in `security-misc-shared`: - -`/etc/profile.d/30_security-misc.sh#security-misc-shared` indeed belongs in `security-misc-shared` and not `security-misc-desktop`. For the reason, see below. - -Other considerations have been: - -* Just because it's a server, it does not follow that there is no GUI (graphical user interface) desktop environment. -* Just because it's a desktop computer, it doesn't mean it's a GUI and not a CLI (command line interface). -* Therefore, the split is between `security-misc-desktop` and `security-misc-server`. -* Therefore, the split is not between `security-misc-gui` and `security-misc-cli`. - -\[1\] https://github.com/Kicksecure/security-misc/issues/187 +* set `dracut` `reproducible=yes` setting ## Related -- Linux Kernel Runtime Guard (LKRG) -- tirdad - TCP ISN CPU Information Leak Protection. -- Kicksecure (TM) - a security-hardened Linux Distribution -- And more. -- https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG -- https://github.com/Kicksecure/tirdad -- https://www.kicksecure.com -- https://github.com/Kicksecure +* Linux Kernel Runtime Guard (LKRG) +* tirdad - TCP ISN CPU Information Leak Protection. +* Whonix ™ - Anonymous Operating System +* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution +* And more. +* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG +* https://github.com/Whonix/tirdad +* https://www.whonix.org +* https://www.whonix.org/wiki/Kicksecure +* https://github.com/Whonix ## Discussion -Happening primarily in forums. +Happening primarily in Whonix forums. https://forums.whonix.org/t/kernel-hardening/7296 ## How to install `security-misc` -See https://www.kicksecure.com/wiki/Security-misc#install +See https://www.whonix.org/wiki/Security-misc#install ## How to Build deb Package from Source Code -Can be built using standard Debian package build tools such as: +Can be build using standard Debian package build tools such as: - dpkg-buildpackage -b +``` +dpkg-buildpackage -b +``` -See instructions. (Replace `generic-package` with the actual name of this -package `security-misc`.) +See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) -- **A)** - [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), - *OR* -- **B)** [including verifying software - signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) +* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package) ## Contact -- [Free Forum Support](https://forums.kicksecure.com) -- [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) +* [Free Forum Support](https://forums.whonix.org) +* [Professional Support](https://www.whonix.org/wiki/Professional_Support) ## Donate -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to -stay alive! +`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! diff --git a/README_generic.md b/README_generic.md index 70edaf0..3c3ac48 100644 --- a/README_generic.md +++ b/README_generic.md @@ -1,36 +1,33 @@ # Enhances Miscellaneous Security Settings # -https://github.com/Kicksecure/security-misc/blob/master/README.md +https://github.com/Whonix/security-misc/blob/master/README.md -https://www.kicksecure.com/wiki/Security-misc - -Package security-misc-desktop and/or security-misc-server may also be useful. +https://www.whonix.org/wiki/Security-misc Discussion: Happening primarily in Whonix forums. -https://forums.whonix.org/t/kernel-hardening-security-misc/7296 - +https://forums.whonix.org/t/kernel-hardening/7296 ## How to install `security-misc` using apt-get ## -1\. Download the APT Signing Key. +1\. Download Whonix's Signing Key. ``` -wget https://www.kicksecure.com/keys/derivative.asc +wget https://www.whonix.org/patrick.asc ``` -Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. +Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. -2\. Add the APT Signing Key. +2\. Add Whonix's signing key. ``` -sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc +sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc ``` -3\. Add the derivative repository. +3\. Add Whonix's APT repository. ``` -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +echo "deb https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. @@ -53,18 +50,16 @@ Can be build using standard Debian package build tools such as: dpkg-buildpackage -b ``` -See instructions. +See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) -NOTE: Replace `generic-package` with the actual name of this package `security-misc`. - -* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ -* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) +* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package) ## Contact ## -* [Free Forum Support](https://forums.kicksecure.com) -* [Premium Support](https://www.kicksecure.com/wiki/Premium_Support) +* [Free Forum Support](https://forums.whonix.org) +* [Professional Support](https://www.whonix.org/wiki/Professional_Support) ## Donate ## -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! +`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! diff --git a/changelog.upstream b/changelog.upstream index 60e21fa..0c142c5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,11935 +1,3 @@ -commit cbd91974b162cec0144804190f807976ee2788e5 -Author: Patrick Schleizer -Date: Sun Jan 11 10:51:46 2026 -0500 - - typo - -commit a0fd435751e666b72b59afb6658e41ba21e892b4 -Author: Patrick Schleizer -Date: Sun Jan 11 07:09:36 2026 -0500 - - readme - -commit 6c4e7458a10c3a262ecfc0c2f53d1b6181b80ddf -Author: Patrick Schleizer -Date: Mon Jan 5 10:28:53 2026 +0000 - - bumped changelog version - -commit 74533a7efab3f740028d04330752ce18b92dc8fa -Merge: 8a132749 84408cb1 -Author: Patrick Schleizer -Date: Mon Jan 5 03:09:53 2026 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 84408cb1a5228355526815814d2e01ce8d40a175 -Merge: 8a132749 52ef679c -Author: Patrick Schleizer -Date: Mon Jan 5 03:05:02 2026 -0500 - - Merge pull request #345 from Nurmagoz/patch-1 - - debian/control URL fix - -commit 8a132749e0976803173c416cd5f8d4879b7dee3f -Author: Patrick Schleizer -Date: Thu Jan 1 17:28:25 2026 +0000 - - bumped changelog version - -commit e2d31a5b818342037a54e5c3a71ef92df95b9a32 -Author: Patrick Schleizer -Date: Thu Jan 1 12:28:03 2026 -0500 - - genmkfile debinstfile - -commit 6e15c683ab4a682a8ed652559632d7d1e93963c4 -Merge: 97640a9b 436308ae -Author: Patrick Schleizer -Date: Thu Jan 1 12:01:19 2026 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 52ef679c2cd95548e1f0edf48283f0ea5e3a444c -Author: Nurmagoz <11895339+Nurmagoz@users.noreply.github.com> -Date: Wed Dec 31 20:51:34 2025 +0000 - - debian/control URL fix - -commit 436308ae4ec243c80262f3b43dcade0f9ca83859 -Author: Aaron Rainbolt -Date: Mon Dec 29 22:30:00 2025 -0600 - - Minor comment fixes - -commit f8ac896b87e6661704f9b13f775941ea8b4eda06 -Merge: 97640a9b ab98da95 -Author: Aaron Rainbolt -Date: Mon Dec 29 22:23:34 2025 -0600 - - Merge remote-tracking branch 'raja/log_martians' into arraybolt3/trixie-raja-merge - -commit 97640a9b5768b7565daf153fbdc9a0655001b790 -Author: Patrick Schleizer -Date: Sun Dec 28 06:36:59 2025 +0000 - - bumped changelog version - -commit c54d6a2258a09867e5b72a8bc1b47df67de6497d -Author: Patrick Schleizer -Date: Sun Dec 28 01:30:43 2025 -0500 - - readme - -commit 7477a6711ad2020fc9a7af19fd98fb88da5b840f -Author: Patrick Schleizer -Date: Sun Dec 28 01:29:26 2025 -0500 - - readme - -commit 885358794f2f4f196e37e6c39b6d95f3b48e325f -Author: Patrick Schleizer -Date: Sun Dec 28 00:55:20 2025 -0500 - - readme - -commit 44837c12bbf63f7e0fd41afad11e19646fd53074 -Author: Patrick Schleizer -Date: Sun Dec 28 00:48:37 2025 -0500 - - genmkfile debinstfile - -commit 7b37965c5c6689533b10e0e592100ee5b94858ee -Merge: d2796afe dddf7979 -Author: Patrick Schleizer -Date: Sun Dec 28 00:47:49 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit dddf79798cb2f2f76bf4432aa90c8a3c61402db1 -Author: Aaron Rainbolt -Date: Sat Dec 27 19:46:55 2025 -0600 - - Document why we disable sudo DNS - -commit 5e45248eb63ecb4b7f924ff9fcba6b40f5bf1244 -Author: Aaron Rainbolt -Date: Sat Dec 27 19:38:19 2025 -0600 - - genmkfile debinstfile - -commit 1b07fd2e73fdfc0d83bd36919080442a14a5ffdf -Author: Aaron Rainbolt -Date: Sat Dec 27 19:38:02 2025 -0600 - - Disable sudo DNS lookups on desktop systems - -commit d2796afe8e4cf5dd55d549adf972e68f86903609 -Author: Patrick Schleizer -Date: Fri Dec 19 11:38:31 2025 +0000 - - bumped changelog version - -commit 68c89cced39a5d2138e22661f4132118628aba64 -Author: Patrick Schleizer -Date: Fri Dec 19 06:30:00 2025 -0500 - - comment - -commit 8aef71c2548807f39a104529e0b6cdf67c201185 -Author: Patrick Schleizer -Date: Fri Dec 19 06:27:14 2025 -0500 - - fix - -commit 55a9755d90d27325010ab19a35b611a9a1df82ae -Author: Patrick Schleizer -Date: Fri Dec 19 06:26:16 2025 -0500 - - refactoring - -commit 6927a5d1adb3dbb96d630e42679c01a6d589232e -Author: Patrick Schleizer -Date: Fri Dec 19 09:56:05 2025 +0000 - - bumped changelog version - -commit 29c12808682fbbd5bd63f1bb821821f5adbfdbc5 -Author: Patrick Schleizer -Date: Fri Dec 19 04:55:41 2025 -0500 - - genmkfile debinstfile - -commit 7ed2d25def0f143dc4cb3695f0e8c5b74682a743 -Merge: b366c5e6 0bf0a73e -Author: Patrick Schleizer -Date: Fri Dec 19 03:42:20 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 0bf0a73eb4683bd7205eaafa692237c57e7d18ae -Author: Aaron Rainbolt -Date: Mon Dec 15 20:18:14 2025 -0600 - - Add a missing quote mark for panic_on_taint - -commit 2106ed5aa651d9910df9965d68cb632808423e77 -Merge: b9d4f0aa 969d4d82 -Author: Aaron Rainbolt -Date: Mon Dec 15 19:41:36 2025 -0600 - - Merge remote-tracking branch 'raja/amd_encrypt_sev' into arraybolt3/trixie-raja-merge - -commit 969d4d82139b1c1793786b7a24c9eee3f4a1101c -Author: raja-grewal -Date: Tue Dec 16 11:49:21 2025 +1100 - - Add references for AMD SME - -commit b9d4f0aaa565ab478a8e0ef4cef27bc49457da42 -Author: Aaron Rainbolt -Date: Sun Dec 14 14:24:33 2025 -0600 - - Add minor clarifications - -commit 005b66c265654514b6450908a75615b71003f372 -Merge: 3f097a35 eaf0f814 -Author: Aaron Rainbolt -Date: Sun Dec 14 14:05:36 2025 -0600 - - Merge remote-tracking branch 'raja/panic_taint' into arraybolt3/trixie-raja-merge - -commit 3f097a35f21582300a87ddf7c70b2698df90e5ff -Author: Aaron Rainbolt -Date: Sun Dec 14 14:03:26 2025 -0600 - - Split up a line in README.md - -commit e7e6d6d3739bebfb8a92f6666e5f2f43ecbc2b52 -Merge: 8e56772c b8f78062 -Author: Aaron Rainbolt -Date: Sun Dec 14 14:01:54 2025 -0600 - - Merge remote-tracking branch 'raja/incomplete_cpu_mitigations' into arraybolt3/trixie-raja-merge - -commit b8f78062673ec3675ff31a0f7d34b853e9f97f04 -Author: raja-grewal -Date: Sun Dec 14 12:38:47 2025 +0000 - - Update usage of `mitigations=auto,nosmt` - -commit eaf0f814bdbe52739d3b3270bb2549bbdc2753f2 -Author: raja-grewal -Date: Sun Dec 14 11:18:08 2025 +0000 - - Update option to `panic_on_taint` - -commit 8e56772c2f0d26b7266403c0dfc5b7ef6d86d1fc -Author: Aaron Rainbolt -Date: Sat Dec 13 19:22:50 2025 -0600 - - README.md typo fix - -commit 4d0a126955e48d790c063b218540a63b514bbd24 -Merge: 39ce5919 8040ba75 -Author: Aaron Rainbolt -Date: Sat Dec 13 18:44:03 2025 -0600 - - Merge remote-tracking branch 'raja/modprobe_refresh' into arraybolt3/trixie-raja-merge - -commit 39ce5919765b7cadac07dfeadb6cbbd29261b81c -Merge: b366c5e6 7d901213 -Author: Aaron Rainbolt -Date: Sat Dec 13 18:27:22 2025 -0600 - - Merge remote-tracking branch 'raja/amd_encrypt_sev' into arraybolt3/trixie-raja-merge - -commit 650b923c7a88820d3a899596e32016e1c3f6cc57 -Author: raja-grewal -Date: Sat Dec 13 04:35:02 2025 +0000 - - Update option to `panic_on_taint` - -commit b366c5e62ad375cef608f5fc435d444de52b056d -Author: Patrick Schleizer -Date: Fri Dec 12 13:17:09 2025 +0000 - - bumped changelog version - -commit 68de32e43e5597c5bda5449cf78eeed94895a63c -Merge: 725565c4 135ee804 -Author: Patrick Schleizer -Date: Fri Dec 12 04:35:53 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 8040ba7579735cafee5fcd9ddf60ca4c88080f70 -Author: raja-grewal -Date: Fri Dec 12 02:04:38 2025 +0000 - - Minor fixes to docs - -commit fe1cfcd1a0f42b4e4938f7b327c33e89936aff76 -Author: raja-grewal -Date: Fri Dec 12 02:03:23 2025 +0000 - - Update docs on CPU MSRs - -commit ab2d44677a3198d6e421bb1c630a18fc4e85065c -Author: raja-grewal -Date: Fri Dec 12 02:01:20 2025 +0000 - - Correct script addition - -commit 5684a12d9db65474392dc9e1ebdc4646e34569eb -Author: raja-grewal -Date: Fri Dec 12 01:59:23 2025 +0000 - - Whitelist `9p` module - -commit 135ee80450c7f7e4c3d71be861fe1b5a6c135d02 -Author: Aaron Rainbolt -Date: Thu Dec 11 18:47:42 2025 -0600 - - Move kernel.panic=-1 setting to sysctl, allow turning panic-on-oops off with systemctl - -commit 7d901213029f17e7d0a4dccc671b3bfd476bab13 -Author: raja-grewal -Date: Thu Dec 11 14:12:18 2025 +0000 - - Add reference for AMD SEV - -commit 72f295a3f04e43307dea9af29657ee96fb1c47a5 -Author: raja-grewal -Date: Thu Dec 11 14:11:47 2025 +0000 - - Provide option to enable AMD SEV-SNP - -commit 6a17255307c1d3b397ad38ab8f3bb8a14a3c5ca5 -Author: raja-grewal -Date: Thu Dec 11 14:11:26 2025 +0000 - - Provide option to enable AMD SEV-ES - -commit 22b1e3dc92c8bffca20f5d70920b6b9be042658e -Merge: 30068ec8 725565c4 -Author: raja-grewal -Date: Thu Dec 11 18:15:35 2025 +1100 - - Merge branch 'master' into panic_taint - -commit 53c4fdbeea0a44ca9e7ab739d80393b9c655482c -Merge: f75e9873 725565c4 -Author: raja-grewal -Date: Thu Dec 11 12:52:14 2025 +1100 - - Merge branch 'Kicksecure:master' into modprobe_refresh - -commit 725565c42e7b3e1bb5036d160cc0388cc001901b -Author: Patrick Schleizer -Date: Tue Dec 9 14:06:55 2025 +0000 - - bumped changelog version - -commit b7b6b6e5fbeba0cfab141bf05d7fb657879ba8e9 -Author: Patrick Schleizer -Date: Mon Dec 8 09:42:59 2025 -0500 - - output - -commit 8f99672cb24242d6cb86d985384ab4ad7d1aca54 -Author: Patrick Schleizer -Date: Fri Dec 5 11:39:12 2025 +0000 - - bumped changelog version - -commit ac128dd873968b1815e4113b30ea69f34fa0b088 -Merge: 17dd7af7 85761a41 -Author: Patrick Schleizer -Date: Fri Dec 5 06:35:03 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 85761a4153a4f19e7b18e91062e97d3376451884 -Author: Aaron Rainbolt -Date: Thu Dec 4 23:27:18 2025 -0600 - - permission-hardener: Fix undo warning logic, minor improvements suggested by ChatGPT Codex - -commit 17dd7af7d1cf37ff30a17e2eaee06732d627ed34 -Author: Patrick Schleizer -Date: Wed Dec 3 08:31:22 2025 +0000 - - bumped changelog version - -commit c44678f92df924e4c10f08960426c526e0292aba -Merge: 6f9732be 0534a34e -Author: Patrick Schleizer -Date: Wed Dec 3 03:22:44 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 0534a34ed7246793db384518cfbecb3adfcb7f3e -Author: Aaron Rainbolt -Date: Tue Dec 2 19:06:30 2025 -0600 - - Fix block-unsafe-logins when running as non-root, add swaylock to list of safe auth services - -commit 6f9732be98cbc344076b89d57491c423368172d5 -Merge: 2089b3a9 b3eb739f -Author: Patrick Schleizer -Date: Tue Dec 2 06:04:07 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit b3eb739fe2662acfbd844de8d87af4720727fc7a -Author: Aaron Rainbolt -Date: Sun Nov 30 00:20:21 2025 -0600 - - Link fix, change some wording - -commit 5f34b4146e895bb935b719071ab2762278944995 -Merge: 2c253b13 29176d2e -Author: Aaron Rainbolt -Date: Sun Nov 30 00:12:18 2025 -0600 - - Merge remote-tracking branch 'raja/docs' into arraybolt3/trixie - -commit 2c253b1312c034cb8395039803380c1157967061 -Merge: 17ab1bb0 c5f91eb3 -Author: Aaron Rainbolt -Date: Sat Nov 29 21:01:51 2025 -0600 - - Merge remote-tracking branch 'raja/vsyscall32' into arraybolt3/trixie - -commit 17ab1bb00fe287c4c941d9cd3813ee3a3ae89ade -Author: Aaron Rainbolt -Date: Sat Nov 29 20:44:30 2025 -0600 - - Documentation fix - -commit 2b2d30afce3d40eb9c2177ad67fd7d89cd4602a0 -Merge: f0d069c7 3fdfebc4 -Author: Aaron Rainbolt -Date: Sat Nov 29 20:23:09 2025 -0600 - - Merge remote-tracking branch 'raja/limit_full_force' into arraybolt3/trixie - -commit f0d069c7968e2ee10d7104ce1ba502d3122b0ab2 -Author: Aaron Rainbolt -Date: Sat Nov 29 20:15:03 2025 -0600 - - Minor README.md corrections - -commit b73a830b0f62fe43b38cc89d56d997bed355570c -Merge: e54cb007 53d90b11 -Author: Aaron Rainbolt -Date: Sat Nov 29 19:59:35 2025 -0600 - - Merge remote-tracking branch 'raja/kpti' into arraybolt3/trixie - -commit e54cb007f9fc351c25c292ffd68abe974be56bb0 -Merge: 84e193c4 e43d4d7f -Author: Aaron Rainbolt -Date: Sat Nov 29 19:54:10 2025 -0600 - - Merge remote-tracking branch 'raja/limit_bdev_writes' into arraybolt3/trixie - -commit 84e193c44ec9ebf676d1fb4a32d6e2f68afd3d0d -Merge: 65c45fc3 5ac02d2d -Author: Aaron Rainbolt -Date: Fri Nov 28 14:21:59 2025 -0600 - - Merge remote-tracking branch 'raja/stop_tw_reuse' into arraybolt3/trixie - -commit 65c45fc3d799cdf6402328cc61cbdd1949a12945 -Author: Aaron Rainbolt -Date: Fri Nov 28 00:13:45 2025 -0600 - - Minor fixes to NMI panic docs - -commit 37b1d055f18c6335e96c41c06174b66e43e4a8ff -Merge: 7280d886 ebc011e6 -Author: Aaron Rainbolt -Date: Fri Nov 28 00:09:43 2025 -0600 - - Merge remote-tracking branch 'raja/panic_nmi' into arraybolt3/trixie - -commit 7280d8867da50e05dd7d3071123d49b15660051d -Merge: 2089b3a9 62dc2d44 -Author: Aaron Rainbolt -Date: Thu Nov 27 23:28:53 2025 -0600 - - Merge remote-tracking branch 'raja/amd_encrypt_ram' into arraybolt3/trixie - -commit 2089b3a9b8e9d10c06850f0329f7e2eb8a8a12cc -Author: Patrick Schleizer -Date: Mon Nov 24 08:44:10 2025 +0000 - - bumped changelog version - -commit cbd35502f19e74b6f95ff40bf03f02806eef3cdc -Author: Patrick Schleizer -Date: Mon Nov 24 03:18:25 2025 -0500 - - comment - -commit cac73c3154b3278ad71edc0fd159afc71d5dbc45 -Author: Patrick Schleizer -Date: Mon Nov 24 03:17:38 2025 -0500 - - minor - -commit d68988e76cda939ce200d970e19310cadba5d08e -Author: Patrick Schleizer -Date: Mon Nov 24 03:17:25 2025 -0500 - - comments - -commit c1ca36d75888b95835b953c3a8a122954c1e5929 -Merge: ec116795 a3417e99 -Author: Patrick Schleizer -Date: Mon Nov 24 03:11:19 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit a3417e997d26e9a88d30da408d470fab98f58d79 -Author: Aaron Rainbolt -Date: Sun Nov 23 16:27:59 2025 -0600 - - Add pkexec remembered permissions fix for permission-hardener, fix some postinst bugs - -commit edda37809fb186f6d85511e774957b701483ca66 -Author: Aaron Rainbolt -Date: Sun Nov 23 14:54:02 2025 -0600 - - Remove obsolete migration code for permission-hardener, add initial permission-hardener state installation code - -commit ec11679514d54c9a61e7c4e35ce81467b12333f4 -Author: Patrick Schleizer -Date: Sun Nov 23 10:26:13 2025 +0000 - - bumped changelog version - -commit 5c4d3162ab3c5178502c1f48e6288dc86cc45bb1 -Author: Patrick Schleizer -Date: Sun Nov 23 05:25:13 2025 -0500 - - fix - -commit 30068ec8cdaa7a6778f0ba0b423f7ab3c3391759 -Author: raja-grewal -Date: Sat Nov 22 15:01:47 2025 +1100 - - Correct bitmask - -commit f75e9873375d187fbbe4b5bfd135d0cd26a93fe6 -Author: raja-grewal -Date: Fri Nov 21 13:06:42 2025 +0000 - - Relabel some disabled module headings - -commit 79be87ec5f2cb22a98ada179b3aa97dfd58299e0 -Author: raja-grewal -Date: Fri Nov 21 13:05:13 2025 +0000 - - Move (optional) CPU MSR module disable list - -commit 1a7b0a9122cc6b6e755a540dd62fd018a1a7536d -Author: raja-grewal -Date: Fri Nov 21 12:43:05 2025 +0000 - - Disable more file systems - -commit 1865cafe446c6a525bc63caa7ce1097ce573b877 -Author: raja-grewal -Date: Fri Nov 21 12:42:10 2025 +0000 - - Move joydev from blacklist to disable - -commit 28476d3d53a0e4796b4396a925c44ccf32f4fe90 -Author: raja-grewal -Date: Fri Nov 21 12:40:12 2025 +0000 - - Update docs on GrapheneOS blacklisted modules - -commit 446d3771bf8c42aba61d248bccfe9fad4eacc88d -Author: raja-grewal -Date: Fri Nov 21 12:38:44 2025 +0000 - - Update docs on CD-ROM/DVD blacklisting - -commit 3646a2fefeaa774aea068d7c6e761c5b76479f55 -Author: raja-grewal -Date: Fri Nov 21 12:37:57 2025 +0000 - - Move superseded brcm80211 to disabled - Split and replaced by brcmsmac and brcmfmac in kernel 2.6.39 - -commit 66ba273d448ff92c249abe9dd0f83a64cc1ee823 -Author: raja-grewal -Date: Fri Nov 21 12:36:57 2025 +0000 - - Add CPU MSR modules - -commit e6aa648d54f076c5c75d45bcd7658d502b701982 -Author: raja-grewal -Date: Fri Nov 21 12:36:32 2025 +0000 - - Update docs on CPU MSR disabling - -commit 59869979bbc2fb16da6b3435276e4930b4088f59 -Author: raja-grewal -Date: Fri Nov 21 12:35:51 2025 +0000 - - Update docs on Vivid disabling - -commit 4597fd16a9b94ebd6b4fae152a64288b665d9c36 -Author: raja-grewal -Date: Fri Nov 21 12:35:03 2025 +0000 - - Sort RDNIS disabling and add docs - -commit 5adc007536578c1e70a8cc6784fbced2033b7a5c -Author: raja-grewal -Date: Fri Nov 21 12:33:15 2025 +0000 - - Update docs on Intel PMT disabling - -commit 31e3aa0c3add48ad26e43e4b83358571843f28de -Author: raja-grewal -Date: Fri Nov 21 12:32:30 2025 +0000 - - Update docs on Bluetooth disabling - -commit 9f85a78c9919d71c3e92099cac8525ac385aea5c -Author: Patrick Schleizer -Date: Wed Nov 19 07:02:14 2025 +0000 - - bumped changelog version - -commit 4e7cfb0d061810ec7c3139379a65db83abc39efc -Merge: d267cf67 936c799c -Author: Patrick Schleizer -Date: Wed Nov 19 01:55:10 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 936c799cb5f48376fa259bb3b92b653526a00509 -Author: Aaron Rainbolt -Date: Tue Nov 18 23:53:03 2025 -0600 - - Don't break passwordless sudo in unrestricted admin mode - -commit 68025d3624e7543deec2fbe43ea0f010344e4160 -Author: raja-grewal -Date: Wed Nov 19 01:16:46 2025 +0000 - - Provide option to `panic_on_taint` - -commit ebc011e67bff659778cbca2240c5e57d663f3f41 -Author: raja-grewal -Date: Wed Nov 19 11:35:04 2025 +1100 - - Typo - -commit 62dc2d448366d190812773ec9eeadd38e1223cbc -Author: raja-grewal -Date: Tue Nov 18 20:31:46 2025 +1100 - - Add note about Intel TME - -commit 29176d2ed29b07c4da9b9c0df1eefd2bda70b984 -Author: raja-grewal -Date: Sat Nov 15 06:30:11 2025 +0000 - - Remove the option to reduce the MCE tolerance level - -commit 9f897c5ccda781d010077446abb3d176cf929c94 -Author: raja-grewal -Date: Sat Nov 15 05:48:33 2025 +0000 - - Update docs on reducing the MCE tolerance level - -commit b6fe1a5a6e164c7a7505b5e27ece582a1b928d82 -Author: raja-grewal -Date: Sat Nov 15 04:51:01 2025 +0000 - - Make panic related settings consistent - Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant. - -commit 99e993b885ca1fa30a871120b545f9334371cd5a -Author: raja-grewal -Date: Sat Nov 15 03:16:07 2025 +0000 - - Provide options to enable AMD SME and SEV - -commit d267cf6761076092c299508a0c356c05d0ee713d -Author: Patrick Schleizer -Date: Fri Nov 14 06:21:34 2025 +0000 - - bumped changelog version - -commit efa06a1eae52b15978eb84f6ab4153ae88eb8d6a -Author: Patrick Schleizer -Date: Fri Nov 14 00:44:50 2025 -0500 - - port to package-installed-check - -commit abf5852ebabec81d553a60139fe5a15972d14ab5 -Author: Patrick Schleizer -Date: Wed Nov 12 06:13:05 2025 +0000 - - bumped changelog version - -commit 3af891645503c62ff5510b78e5cbe73774ad72a2 -Merge: fb587f78 3070aa5d -Author: Patrick Schleizer -Date: Tue Nov 11 23:59:50 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit d891313d57b469c28c08993b05d355b29ea08397 -Author: raja-grewal -Date: Tue Nov 11 11:39:21 2025 +0000 - - Provide options to panic upon receiving NMIs - -commit 0b9b9ffb1e87850e3296d0420c305062b66868d5 -Author: raja-grewal -Date: Tue Nov 11 11:32:47 2025 +0000 - - Improve clarity for panic on OOM - -commit 3070aa5d1f988b199030b31baa2fabc2db7b289f -Author: Aaron Rainbolt -Date: Mon Nov 10 22:40:15 2025 -0600 - - Fix passwordless login for sensitive accounts, only deny passwordless privilege escalation - -commit ab98da957c732340ddb7bb43ed445835220c21d1 -Author: raja-grewal -Date: Tue Nov 11 04:28:56 2025 +0000 - - Re-set `net.ipv4.conf.*.log_martians=1` - -commit fb587f78fd11e471b3169f8c67c1772c1ba3729d -Author: Patrick Schleizer -Date: Mon Nov 10 08:00:06 2025 +0000 - - bumped changelog version - -commit fc1b865dd7a7663cbea8948c06ce45e69269a3b1 -Author: Patrick Schleizer -Date: Mon Nov 10 02:21:27 2025 -0500 - - debugging - -commit 45126cede6563a3bfe9c700543fdec09442f1cb3 -Author: Patrick Schleizer -Date: Mon Nov 10 02:19:29 2025 -0500 - - end-of-options - -commit 61637a5ff06b69210f293bed91735a2bf80e8946 -Author: Patrick Schleizer -Date: Mon Nov 10 02:15:30 2025 -0500 - - refactoring - -commit ddb59a3b01444762c7a9da68d2cc34d98f3d8f96 -Author: Patrick Schleizer -Date: Mon Nov 10 02:13:48 2025 -0500 - - comment - -commit ae1e2e3b52ea4c18ed1d4bb2e7cf3c2adf06711c -Author: Patrick Schleizer -Date: Mon Nov 10 02:10:25 2025 -0500 - - output - -commit f2b765854203cfb5be15ad63a260fec860ed0620 -Author: Patrick Schleizer -Date: Mon Nov 10 02:09:54 2025 -0500 - - use long option names - -commit 71ca68bd4aab5adad9a8c1dd20df4dc6990885e7 -Author: Patrick Schleizer -Date: Mon Nov 10 02:09:00 2025 -0500 - - end-of-options - -commit e9e6c12b03fd6f440232221cdf7f34e9bc7661a2 -Author: Patrick Schleizer -Date: Mon Nov 10 02:08:04 2025 -0500 - - output - -commit f5db916bf728f8d09ee48cec5cb0a0a3ee520e33 -Author: Patrick Schleizer -Date: Mon Nov 10 02:06:55 2025 -0500 - - fix - -commit bb0a23fcc80b7963e0fc80f6e7da6931aa88c300 -Author: Patrick Schleizer -Date: Mon Nov 10 02:05:47 2025 -0500 - - chmod +x - -commit 39a6ce002e9ff696104906be252afffce70dd959 -Author: Patrick Schleizer -Date: Mon Nov 10 02:05:03 2025 -0500 - - genmkfile debinstfile - -commit 94de949a4797be1706378a10324ec9c2522834a7 -Merge: 0939883f 5fbd42bb -Author: Patrick Schleizer -Date: Mon Nov 10 02:04:15 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 5ac02d2d528a37fe1c162c4808b3d874a8c53159 -Author: raja-grewal -Date: Mon Nov 10 06:13:35 2025 +0000 - - Set `net.ipv4.tcp_tw_reuse=0` - -commit b89aaea61e83aea6b23ea34a01dbb1e6bce1e2df -Author: raja-grewal -Date: Mon Nov 10 06:03:33 2025 +0000 - - Add docs on logging martian packets - -commit 5fbd42bbec55d66197b70789b10f7cb6705207fb -Author: Aaron Rainbolt -Date: Sun Nov 9 18:38:54 2025 -0600 - - Add kill-vboxdrmclient-on-shutdown.service - -commit 9d86379f5624a6c2b20645c34e1621977c1d4db9 -Author: Aaron Rainbolt -Date: Sun Nov 9 17:46:22 2025 -0600 - - Prevent non-sysmaint logins in sysmaint mode and unsafe passwordless logins in user mode - -commit a3830db09e3f567237caefb687ef2da877573b03 -Author: raja-grewal -Date: Sun Nov 9 13:42:31 2025 +0000 - - Update docs relating to panic on OOM - -commit 0aa0b67df6a33b84a656cfb7055c4af5ca583439 -Merge: a46f678c 0939883f -Author: raja-grewal -Date: Mon Nov 10 00:20:48 2025 +1100 - - Merge branch 'master' into docs - -commit 0939883f0b5e1232e9aa85e61c0cbef551a59357 -Author: Patrick Schleizer -Date: Sun Nov 9 10:47:45 2025 +0000 - - bumped changelog version - -commit 039141188558931b73a9b5897ea3422bbb201dad -Author: Patrick Schleizer -Date: Sun Nov 9 05:47:00 2025 -0500 - - revert Force immediate kernel panic on OOM. - - https://github.com/Kicksecure/security-misc/issues/324#issuecomment-3507949741 - -commit 26b96ce2800e794104e6d3c113c3c2c121795b39 -Author: Patrick Schleizer -Date: Sun Nov 9 08:12:42 2025 +0000 - - bumped changelog version - -commit 1ef974300a157235da6a6c4d1379b62acf0c4c61 -Author: Patrick Schleizer -Date: Sat Nov 8 04:00:47 2025 -0500 - - readme - -commit 48ce12eba38aec099b4afe42e4d42b1d41dcb97f -Author: Patrick Schleizer -Date: Sat Nov 8 07:44:43 2025 +0000 - - bumped changelog version - -commit 69419357e1bb2d0842ecd5db3e42bcaa011f5c11 -Author: Patrick Schleizer -Date: Sat Nov 8 02:42:25 2025 -0500 - - genmkfile debinstfile - -commit d50e6afc8fb0a925e07fc54b7ecc1f450d9aa176 -Author: Patrick Schleizer -Date: Sat Nov 8 01:34:32 2025 -0500 - - sanity test - -commit 12679608428e6927da480ca721b34bab75108687 -Author: Patrick Schleizer -Date: Sat Nov 8 01:32:45 2025 -0500 - - comments - -commit 1e48886c7e77fa7bccfdee3cca6f0fbdba74e4a1 -Author: Patrick Schleizer -Date: Sat Nov 8 01:31:02 2025 -0500 - - long option name - -commit d6c949c791bcc2c76b4f2e81eb0ffd370f8f1a37 -Merge: 5b97e7bd fa32ba6c -Author: Patrick Schleizer -Date: Sat Nov 8 01:29:48 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit fa32ba6c4fccf35111f85ec3819e718963359d7c -Author: Aaron Rainbolt -Date: Fri Nov 7 17:09:22 2025 -0600 - - Suppress usbguard startup unless a USB controller is visible to lspci - -commit 635c216d4e55eb0c6463c543202aea629c572f5e -Author: raja-grewal -Date: Wed Nov 5 01:44:36 2025 +0000 - - Update docs on CPU mitigations - -commit a46f678c7f8715fd1cedd1102f9815b9d845ccb3 -Author: raja-grewal -Date: Wed Nov 5 00:05:17 2025 +0000 - - Update docs on latent entropy - -commit 37b493826ec60397c6019959abb7e0631dd33ed4 -Author: raja-grewal -Date: Wed Nov 5 00:03:54 2025 +0000 - - Spit distrusting entropy settings for clarity - -commit 019a0cf72c99f9f10fd42afbfed96c283e17e458 -Author: raja-grewal -Date: Wed Nov 5 00:03:19 2025 +0000 - - Update docs on entropy - -commit 4c88b911415cbf57eecc93a22c6674322662db50 -Merge: d175d1be 5b97e7bd -Author: raja-grewal -Date: Wed Nov 5 10:10:10 2025 +1100 - - Merge branch 'Kicksecure:master' into docs - -commit e43d4d7f7110de0b23996373e9462aa900b314a6 -Author: raja-grewal -Date: Mon Nov 3 05:46:07 2025 +0000 - - Set `bdev_allow_write_mounted=0` - -commit 53d90b1128d55e352b3eef8ae680a07a825b1ecf -Author: raja-grewal -Date: Mon Nov 3 04:32:49 2025 +0000 - - Update docs on `ssbd=force-on` - -commit 322584db3346aaa1e3d1f9782b3d22ca2153c7da -Author: raja-grewal -Date: Mon Nov 3 04:31:59 2025 +0000 - - Update docs on `pti=on` - -commit 5e87c9bea49b5a06c1400cb8b632f344cccb6db6 -Author: raja-grewal -Date: Mon Nov 3 04:30:58 2025 +0000 - - Set `kpti=1` - -commit 3fdfebc4646d7c1f48806d02810de44fd53482bb -Author: raja-grewal -Date: Mon Nov 3 00:48:49 2025 +0000 - - Set `proc_mem.force_override=ptrace` - -commit 5b97e7bd277038b3b04c80a78ce05bb52277d4f6 -Author: Patrick Schleizer -Date: Sun Nov 2 11:41:51 2025 +0000 - - bumped changelog version - -commit 58d5f738e63d4c18048fab4e2fd134d68722d0fd -Merge: 5121f80f 7beb19b6 -Author: Patrick Schleizer -Date: Sun Nov 2 06:08:46 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 5121f80f28d374d78bb3897a46fe924d750f4643 -Author: Patrick Schleizer -Date: Sun Nov 2 06:00:24 2025 -0500 - - comment - -commit 29685938bdfd5c14828091342dbe21283ed45fd1 -Author: Patrick Schleizer -Date: Sun Nov 2 05:57:52 2025 -0500 - - move usbguard reject rules to the top - -commit c5f91eb33a2ad745af7a6278cf49419d0b366343 -Author: raja-grewal -Date: Sun Nov 2 06:15:06 2025 +0000 - - Add another method to disable 32-bit legacy vsyscalls - -commit d175d1be525edd8fb6140680c31425c8a89cc244 -Author: raja-grewal -Date: Sun Nov 2 15:54:34 2025 +1100 - - Add doc on entropy related failure on AMD Zen 5 CPUs - -commit 7beb19b64a33cb86771488ab558756fa86b577d3 -Author: Aaron Rainbolt -Date: Sat Nov 1 22:06:44 2025 -0500 - - Update README.md with info about flatpak auth hardening - -commit 5a6730450af6e3d1ab76d6e26d4fb1d7175be946 -Author: Patrick Schleizer -Date: Sat Nov 1 10:13:50 2025 +0000 - - bumped changelog version - -commit 7de05e88f57a343ac358ddbd6a8b3a5f0aa68a51 -Author: Patrick Schleizer -Date: Sat Nov 1 06:13:37 2025 -0400 - - fix - -commit fe8b7fda3d16195b7a7e7a6218e2bc12d808bcb8 -Author: Patrick Schleizer -Date: Sat Nov 1 06:08:20 2025 -0400 - - chmod +x - -commit ad0053d93797aaba2f242f8e7c142eee064c1bca -Author: Patrick Schleizer -Date: Sat Nov 1 09:41:23 2025 +0000 - - bumped changelog version - -commit 94918eeefbf962dbd66cbb052f2304496b1e2814 -Author: Patrick Schleizer -Date: Sat Nov 1 05:24:31 2025 -0400 - - lintian - -commit 6cc5eebe22d9af3591a0bd32e3ca7e9c0849fc44 -Author: Patrick Schleizer -Date: Sat Nov 1 09:18:12 2025 +0000 - - bumped changelog version - -commit 81a279ee1f23706c2309c02da536b68f00e3eff3 -Author: Patrick Schleizer -Date: Sat Nov 1 05:10:05 2025 -0400 - - genmkfile debinstfile - -commit e24eee361d1f810b2ba23b257903fe2824e7d703 -Author: Patrick Schleizer -Date: Sat Nov 1 04:10:17 2025 -0400 - - remove unicode - -commit 53d380989185b5040f94dbb628e2bae5556ed0e1 -Merge: dcccad92 8b766fc3 -Author: Patrick Schleizer -Date: Sat Nov 1 04:02:46 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit dcccad926679c10355aac53326f8fd1b79c735b7 -Author: Patrick Schleizer -Date: Sat Nov 1 03:58:33 2025 -0400 - - no longer depend on sudo - -commit cfaa953373f3bf8de1b51be723f210069655eb74 -Author: Patrick Schleizer -Date: Sat Nov 1 03:42:33 2025 -0400 - - output - -commit 8b766fc3ad6b0c9675670f38e886beb6b769494b -Author: Aaron Rainbolt -Date: Fri Oct 31 15:23:12 2025 -0500 - - Lock down flatpak software management - -commit 948c96afe93bcc87cea203dd7b45a741d46543d1 -Author: Patrick Schleizer -Date: Fri Oct 31 14:38:30 2025 +0000 - - bumped changelog version - -commit aae472d9cfb2f42a861af8a886c28acd640da545 -Author: Patrick Schleizer -Date: Fri Oct 31 10:24:31 2025 -0400 - - Revert "Move apparmor-info, apparmor-watch to security-misc, enable systemd-journald audit transport" - - This reverts commit d1e148eba72ff5a095e31842a70afec7f28c8724. - -commit 3b2092ee764fe3ab8d72b912f0dcc4726ba76f4e -Merge: b168c37e d1e148eb -Author: Patrick Schleizer -Date: Fri Oct 31 10:19:08 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit d1e148eba72ff5a095e31842a70afec7f28c8724 -Author: Aaron Rainbolt -Date: Thu Oct 30 23:05:19 2025 -0500 - - Move apparmor-info, apparmor-watch to security-misc, enable systemd-journald audit transport - -commit b168c37e841d971743a8f2fe2d64ab4187e4029b -Author: Patrick Schleizer -Date: Mon Oct 27 11:48:10 2025 +0000 - - bumped changelog version - -commit c9d48ef7fdd2b691a7abd880d5e695c6296332b6 -Author: Patrick Schleizer -Date: Mon Oct 27 07:07:25 2025 -0400 - - readme - -commit 2dda826e02a10a9cebabe3896fc4c850221cc423 -Author: Patrick Schleizer -Date: Sun Oct 26 12:30:29 2025 +0000 - - bumped changelog version - -commit cb70f198375c5b68058a3705258e78464786922b -Author: Patrick Schleizer -Date: Sun Oct 26 08:06:26 2025 -0400 - - more robust, standardized kernel_cmdline variable detection - -commit 53db63196432e3fdf8fc031f0e78b4666b0f1514 -Author: Patrick Schleizer -Date: Thu Oct 23 06:03:26 2025 +0000 - - bumped changelog version - -commit f2b33b1ad54ac94aca200c001311e0794634e6f9 -Author: Patrick Schleizer -Date: Thu Oct 23 01:08:38 2025 -0400 - - update - -commit 1f093f817527d168ede3a682651088a051f40cb9 -Author: Patrick Schleizer -Date: Wed Oct 22 00:37:36 2025 -0400 - - do not start usbguard-notifier if /sys/bus/usb does not exist - -commit 8f78269949217ac11163cc8b6f17147621fef6eb -Author: raja-grewal -Date: Mon Oct 20 05:36:54 2025 +0000 - - Add docs on slab_debug - -commit 7969ffd4a52786f4a92f74931fff85430906a629 -Author: Patrick Schleizer -Date: Sun Oct 19 08:43:36 2025 +0000 - - bumped changelog version - -commit f555c48c51dab3eefc99085eace277f15ef72c33 -Author: Patrick Schleizer -Date: Sun Oct 19 04:42:24 2025 -0400 - - fix USBGuard-notifier `accept` / `reject` buttons - - https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/49 - -commit 9f7480e20adf148dcb7dbe80e704f3f79691b657 -Author: raja-grewal -Date: Sun Oct 19 01:41:58 2025 +0000 - - Make terminology consistent - -commit f2c3eba4f06c38fda7843427c352022a0f869f66 -Merge: 11d9b940 929421bd -Author: raja-grewal -Date: Sun Oct 19 12:23:13 2025 +1100 - - Merge branch 'Kicksecure:master' into docs - -commit 929421bd258a3c0c1f142f707aeff479f2ea3c49 -Author: Patrick Schleizer -Date: Sat Oct 18 09:19:07 2025 +0000 - - bumped changelog version - -commit f5b7aab87ec6640eb1969bb4be05bb5b0ff04a3c -Author: Patrick Schleizer -Date: Sat Oct 18 05:18:55 2025 -0400 - - update - -commit 806eec423a7a6acb0d5eabc5872c9a5d121a4dc3 -Merge: 6cc1c27f 70fbbc23 -Author: Patrick Schleizer -Date: Sat Oct 18 04:44:41 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 70fbbc230c0c5366b7a09d531012d18b1e88e07b -Author: Aaron Rainbolt -Date: Fri Oct 17 15:49:42 2025 -0500 - - Set USBGuard settings to permit USB hubs and Qubes USB passthrough - -commit 11d9b9403854ae7cd2638765e8350257580be35f -Author: raja-grewal -Date: Fri Oct 17 01:01:28 2025 +0000 - - Add docs on entropy - -commit 708e1358dfbc21444f2bf39dfa81ea5053f2bb10 -Author: raja-grewal -Date: Fri Oct 17 00:48:57 2025 +0000 - - Add docs relating `extra_latent_entropy` - -commit 3d5e659b78cf2588f95280c13b1ebdf24060fb6f -Author: Aaron Rainbolt -Date: Wed Oct 15 19:02:48 2025 -0500 - - Remove trailing spaces - -commit 29639fe69e12ff71ec422a0137b5dbaade9179c3 -Merge: 026d55ac 0c8f2f1b -Author: Aaron Rainbolt -Date: Wed Oct 15 19:01:08 2025 -0500 - - Merge remote-tracking branch 'raja/bad_ipv6_ra' into arraybolt3/trixie - -commit 026d55ac410bf747db03c0cf9475b3408bce7f8e -Author: Aaron Rainbolt -Date: Wed Oct 15 18:30:52 2025 -0500 - - Typo fixes - -commit 35fce26476b20eda81544f583bd2b2124b8e96b0 -Merge: 4f63af42 23041741 -Author: Aaron Rainbolt -Date: Wed Oct 15 18:18:33 2025 -0500 - - Merge remote-tracking branch 'raja/stop_ptrace' into arraybolt3/trixie - -commit 4f63af4200de23e2216be6d3e7f1055af02dbc3b -Author: Aaron Rainbolt -Date: Wed Oct 15 17:53:26 2025 -0500 - - Allow listing USB devices via usbguard - -commit f690b58870bd90582018cec51046f4ed67a414d4 -Author: raja-grewal -Date: Mon Oct 13 02:08:44 2025 +0000 - - Add docs relating to panic on OOM - -commit 9db63d97770e62749c0b602dd9e7d2d4d6a1128b -Author: raja-grewal -Date: Mon Oct 13 01:01:14 2025 +0000 - - README: Update KSSP compliance status - -commit 23041741715cc5f3d16378d6bb34719ceaa1642c -Author: raja-grewal -Date: Sun Oct 12 02:32:45 2025 +0000 - - Insert empty new line - -commit 7161430a6000c4ff5e15a9a8c9519529655a1444 -Author: raja-grewal -Date: Sun Oct 12 02:27:48 2025 +0000 - - Seperate `ptrace()` disabling into own file - -commit 6cc1c27fb376d02adc6c5cddf64b030e2e694711 -Author: Patrick Schleizer -Date: Fri Oct 10 12:08:28 2025 +0000 - - bumped changelog version - -commit 4d9c3dc357ae92b735cf96f121491f7eed1be9f5 -Author: Patrick Schleizer -Date: Fri Oct 10 08:08:10 2025 -0400 - - minor - -commit 968de33c659f971fc62b2a6a63cceb7462c3d0f8 -Author: Patrick Schleizer -Date: Fri Oct 10 08:03:03 2025 -0400 - - Force immediate kernel panic on OOM. - This is to avoid security features such as the screen locker, kloak, emerg-shutdown - from being arbitrarily terminated when the system starts running out of memory. - - https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 - - https://github.com/Kicksecure/security-misc/issues/324 - - `vm.panic_on_oom=2` - - implements https://github.com/Kicksecure/security-misc/issues/324 - -commit 98f27c3b2e1420f6d29cabe7d0c60a92989d06e1 -Author: Patrick Schleizer -Date: Fri Oct 10 06:53:04 2025 -0400 - - comment - -commit 28a88c70914ac2ce8c4cfc5b9ed558e026a6d7a9 -Author: Patrick Schleizer -Date: Fri Oct 10 06:52:13 2025 -0400 - - comment - -commit f4a87e77488c9034611c750d018603326cb42067 -Merge: 685070bd 6cf8a623 -Author: Patrick Schleizer -Date: Fri Oct 10 06:51:31 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 6cf8a623feda09abc72a19b3e4c74c3f37b64d26 -Merge: 685070bd e89c7ae0 -Author: Patrick Schleizer -Date: Fri Oct 10 06:50:46 2025 -0400 - - Merge pull request #325 from raja-grewal/hash_pointers - - Docs detailing future improvements to `slab_debug` - -commit e89c7ae0254d41ac1696e23f8b2d4a425413d888 -Author: raja-grewal -Date: Wed Oct 8 02:39:20 2025 +0000 - - Update docs on `slab_debug` for future improvements - -commit 685070bd026e52f007e27428e5479e2f1c2413fe -Author: Patrick Schleizer -Date: Tue Oct 7 08:40:32 2025 +0000 - - bumped changelog version - -commit ba6ec919f0804bf8bbfaf057c86a067683cbb826 -Merge: dd961b84 718772ea -Author: Patrick Schleizer -Date: Tue Oct 7 04:34:51 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 718772ea7824cd879d36e5eeff8270457df9ad33 -Author: Aaron Rainbolt -Date: Mon Oct 6 15:03:31 2025 -0500 - - Remove unsafe sanitizer compiler flags from emerg-shutdown - -commit 0c8f2f1b44049b676251775d64e23651e9225d00 -Author: raja-grewal -Date: Thu Oct 2 07:05:00 2025 +0000 - - Add docs about the risks associated with IPv6 RAs - -commit 4340bf50b7bf9112703d78fae4e8ca4f5e458ab6 -Author: raja-grewal -Date: Mon Sep 29 15:46:06 2025 +1000 - - Warnings about using `mitigations=auto,nosmt` - -commit dd961b84272247f4e8f01d3042d8ca256ccf50d2 -Author: Patrick Schleizer -Date: Sun Sep 28 21:09:46 2025 +0000 - - bumped changelog version - -commit e6ba4dad46ba2e451fd586357913b68ad25d6004 -Merge: 22c98634 60f8153f -Author: Patrick Schleizer -Date: Sun Sep 28 17:00:24 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 60f8153f64667718edbf9c048d5fa1d3c2ca1980 -Author: Aaron Rainbolt -Date: Sun Sep 28 15:05:21 2025 -0500 - - Fix emerg-shutdown gcc build, remove AddressSanitizer from hardening options since it is incompatible with static builds - -commit 7e016b563239e31c650aece115bb19af0395ec52 -Author: Aaron Rainbolt -Date: Sun Sep 28 14:11:10 2025 -0500 - - Allow users in the qubes group to access USBGuard IPC - -commit 194b8fce4e5a8e9c642171853d7b0491debced55 -Author: raja-grewal -Date: Sun Sep 28 03:20:24 2025 +0000 - - Disable the usage of `ptrace()` by all processes - -commit 22c9863493b326d8ec730ecdf721593b836baf99 -Author: Patrick Schleizer -Date: Fri Sep 26 08:40:20 2025 +0000 - - bumped changelog version - -commit 08199dfe9471c5bff1af3e5f065810c47cfa7a12 -Merge: 590aaec7 58cc6731 -Author: Patrick Schleizer -Date: Fri Sep 26 04:31:02 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 58cc6731f27446c3bfbd5df1e669b625af922efe -Author: Aaron Rainbolt -Date: Thu Sep 25 23:55:03 2025 -0500 - - Additional hardening on emerg-shutdown - -commit 78492e0e5656990ecec7ad2641d5f7e46a264aab -Author: raja-grewal -Date: Thu Sep 25 15:35:34 2025 +1000 - - README: Do not rely on `mitigations=auto` - -commit b9deefed61b40127bbb7aaad8dd83f256b68f896 -Author: raja-grewal -Date: Thu Sep 25 15:34:54 2025 +1000 - - Incompleteness of `mitigations=auto,nosmt` - -commit 590aaec73d389ecfa2610cbf7931a2e380af3e8d -Author: Patrick Schleizer -Date: Wed Sep 24 14:32:35 2025 +0000 - - bumped changelog version - -commit 253688039447d69eb6eaf2d8d2e1c6ed04e2f839 -Merge: 275eecc4 17ee63ac -Author: Patrick Schleizer -Date: Wed Sep 24 10:32:12 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 17ee63aca445d0e41af05eb9807849fc3c0f62d3 -Merge: 275eecc4 d31f63fb -Author: Patrick Schleizer -Date: Wed Sep 24 10:31:31 2025 -0400 - - Merge pull request #319 from raja-grewal/release_notice - - Notice on public releases - -commit d31f63fb1052adb186c323349aa4e36fb6fc8551 -Author: raja-grewal -Date: Tue Sep 23 05:47:45 2025 +0000 - - README: Notice on public releases - -commit 275eecc4f8100fe62e64a382c0ba5e8503ad0482 -Author: Patrick Schleizer -Date: Mon Sep 22 17:25:48 2025 +0000 - - bumped changelog version - -commit c45a4ffdd221964cee5ee5e5b70a0e4ba02eec11 -Merge: 5738bb61 2a39d599 -Author: Patrick Schleizer -Date: Mon Sep 22 13:04:33 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 2a39d5997c410da2cf314f82826d1281879f8a6c -Author: Aaron Rainbolt -Date: Sun Sep 21 16:06:11 2025 -0500 - - security-misc split string changes - -commit 5738bb61045fb00d570c61cefd4c80fbc31d92e3 -Author: Patrick Schleizer -Date: Fri Sep 19 18:43:36 2025 +0000 - - bumped changelog version - -commit 9acdfc741b1b9da243d22ec6fed84f241c446b79 -Author: Patrick Schleizer -Date: Fri Sep 19 14:42:35 2025 -0400 - - description - -commit 62ea7e50410cb354d13600a26de27eaa3af8e309 -Author: Patrick Schleizer -Date: Fri Sep 19 14:41:05 2025 -0400 - - `security-misc` -> `security-misc-shared` package migration - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 02d0ba49bb187f46dbc5969fa00d26f668446a71 -Author: Patrick Schleizer -Date: Fri Sep 19 18:10:09 2025 +0000 - - bumped changelog version - -commit 0c7bee33a79dcd4c96cf374203418c83e1f7ca51 -Author: Patrick Schleizer -Date: Fri Sep 19 14:01:16 2025 -0400 - - comment - -commit 35830047961e2648add789bd44bd2f61cad0dc9a -Author: Patrick Schleizer -Date: Fri Sep 19 16:18:37 2025 +0000 - - bumped changelog version - -commit 67b1cb319ddcb94232ee385d5e67a9cec33b2567 -Author: Patrick Schleizer -Date: Fri Sep 19 12:05:29 2025 -0400 - - `Replaces: security-misc` - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 4bd08f8c818cc862ffb45cd47b7346f7cf89dd4f -Author: Patrick Schleizer -Date: Fri Sep 19 12:05:03 2025 -0400 - - wrap-and-sort - -commit 068750543aef8a74e7168cc58c667c940560a92a -Author: Patrick Schleizer -Date: Fri Sep 19 11:59:22 2025 -0400 - - update link - -commit ca90feb8d5cfa91e7ba3e13dd66d7df0c8343c58 -Author: Patrick Schleizer -Date: Fri Sep 19 11:54:04 2025 -0400 - - security-misc-server placeholder - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 4eb9ec15e11548bd472977c411fecd2bd1c527c0 -Author: Patrick Schleizer -Date: Fri Sep 19 11:51:14 2025 -0400 - - packaging - - https://github.com/Kicksecure/security-misc/issues/187 - -commit c2594a022e86c79a44e2023e518da3f1294346aa -Author: Patrick Schleizer -Date: Fri Sep 19 11:29:55 2025 -0400 - - rename - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 41ba668d23efb5f052394cfd9ab494e595058c17 -Author: Patrick Schleizer -Date: Fri Sep 19 11:23:10 2025 -0400 - - rename - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 1b194f9fd6de847b3450ea5b9b3cd51a3fbfb81f -Author: Patrick Schleizer -Date: Fri Sep 19 10:59:23 2025 -0400 - - adjust lintian overrides file - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 80562557ef5ac360aea2ea7c7a5c6faf76bdb2f0 -Author: Patrick Schleizer -Date: Fri Sep 19 10:53:25 2025 -0400 - - make install files executable - - https://github.com/Kicksecure/security-misc/issues/187 - -commit c99ea95410ef8fd8fd5d6134a914c344c8eea174 -Author: Patrick Schleizer -Date: Fri Sep 19 10:49:17 2025 -0400 - - genmkfile debinstfile - -commit 13e926207c606b0d009613fd41759d9f683cfea4 -Author: Patrick Schleizer -Date: Fri Sep 19 10:30:42 2025 -0400 - - packaging - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 55a8ec685d87a1327ac73d942370409b38e9ad3a -Author: Patrick Schleizer -Date: Thu Sep 18 10:53:21 2025 -0400 - - packaging split - - https://github.com/Kicksecure/security-misc/issues/187 - -commit b4a7d84bf507600cd181081fa85aaab26a3c7c59 -Author: Patrick Schleizer -Date: Thu Sep 18 10:53:10 2025 -0400 - - genmkfile debinstfile - -commit 43ed739479f0e764bf4ecc485094a926a1a4634e -Author: Patrick Schleizer -Date: Thu Sep 18 10:38:50 2025 -0400 - - genmkfile debinstfile - -commit ea878c351f73185411defa7e3f7980e85e8e91ae -Author: Patrick Schleizer -Date: Thu Sep 18 10:27:48 2025 -0400 - - genmkfile debinstfile - -commit 06c045f70ffc9b3c6a195dc900f3a6a16a39c4b1 -Author: Patrick Schleizer -Date: Thu Sep 18 10:00:33 2025 -0400 - - genmkfile debdistfile - -commit f70550d0150793874f8bf30e8aecb090b60fa8e5 -Author: Patrick Schleizer -Date: Wed Sep 17 14:49:28 2025 -0400 - - Split the `security-misc` into `security-misc-shared`, `security-misc-desktop` and `security-misc-server`: rename files - - https://github.com/Kicksecure/security-misc/issues/187 - -commit 2de10d5b7b7589a6da03a6554b231ab55f7cc83c -Merge: ad367c0b 24424bcb -Author: Patrick Schleizer -Date: Wed Sep 17 13:32:44 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 24424bcbc072bbb7ad9c00371a3a2adc27432532 -Merge: 2d3b4ee1 21c605e2 -Author: Patrick Schleizer -Date: Wed Sep 17 13:31:27 2025 -0400 - - Merge pull request #318 from raja-grewal/vmscape - - Enable `vmscape=force` - -commit 2d3b4ee12425182c88f1bf7ac632f7672b25e00c -Merge: ad367c0b 7b32e933 -Author: Patrick Schleizer -Date: Wed Sep 17 13:27:13 2025 -0400 - - Merge pull request #317 from raja-grewal/srso_docs - - Update SRSO docs - -commit ad367c0bbc230357098d246f0fa88d19dad412a1 -Author: Patrick Schleizer -Date: Sat Sep 13 08:33:02 2025 +0000 - - bumped changelog version - -commit 95eeb579a6af3079b79a954351ab69646ec8ec09 -Merge: d262db2e 90b6486f -Author: Patrick Schleizer -Date: Sat Sep 13 04:04:10 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 21c605e27efaf10b3fd182e102c49135843ad21f -Author: raja-grewal -Date: Sat Sep 13 03:41:59 2025 +0000 - - Enable `vmscape=force` - -commit 90b6486ffe95bf50bbf1fa60964c80853917c3c8 -Author: Aaron Rainbolt -Date: Fri Sep 12 18:08:00 2025 -0500 - - Allow users in the sudo group to use usbguard-notifier - -commit 7b32e9339e1da769df38ff9afb849a975b1c1668 -Author: raja-grewal -Date: Fri Sep 12 23:10:34 2025 +1000 - - Update SRSO docs - -commit d262db2e6cc88cd58d73f5b53481ac43fa1ebee7 -Author: Patrick Schleizer -Date: Tue Sep 2 15:25:49 2025 +0000 - - bumped changelog version - -commit 75306a3f96038038958aa7e7adee3952e692ad91 -Author: Patrick Schleizer -Date: Sat Aug 30 14:19:31 2025 +0000 - - bumped changelog version - -commit ac6bc65e3c77f4bcbada69525e8cb1d4c273da8a -Merge: 78b66ba1 2319bd91 -Author: Patrick Schleizer -Date: Sat Aug 30 08:01:26 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 2319bd91648f30b85b49aed2ce7ee7864582495d -Author: Aaron Rainbolt -Date: Thu Aug 28 17:34:41 2025 -0500 - - Allow USB devices that are connected at USBGuard start time - -commit 85fd8ea52b6614cb416514e1c541c46da708f502 -Author: Aaron Rainbolt -Date: Thu Aug 28 16:42:16 2025 -0500 - - Enable USB video and audio devices, reject USB RNDIS devices - -commit b95598b6f7536da08026af37ab3c9fb2ba2f2bb3 -Author: Aaron Rainbolt -Date: Thu Aug 28 16:18:14 2025 -0500 - - Disable RNDIS due to unfixable security issues - -commit 78b66ba159d41dc0559a09c038002c702aaa43c2 -Author: Patrick Schleizer -Date: Wed Aug 27 19:31:06 2025 +0000 - - bumped changelog version - -commit 28d695fd2ddbf91b43dcbf8087c3a852f5ab86a9 -Author: Patrick Schleizer -Date: Wed Aug 27 04:29:48 2025 -0400 - - fix - -commit 0a61107b5adf053db71cad63c40b1c8362e9162b -Merge: ef458ce0 94ebb5c8 -Author: Patrick Schleizer -Date: Wed Aug 27 04:28:25 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit 94ebb5c84ca278a840e2158a5d4207fbfed90a22 -Merge: 893faa98 ef458ce0 -Author: Aaron Rainbolt -Date: Tue Aug 26 19:20:41 2025 -0500 - - Merge branch 'master' into arraybolt3/trixie - -commit ef458ce0d338009387999789259a3e644861b9d3 -Author: Patrick Schleizer -Date: Tue Aug 26 09:16:15 2025 +0000 - - bumped changelog version - -commit 893faa98223cee2f6c90f0224c94724e32f6e014 -Author: Aaron Rainbolt -Date: Fri Aug 22 19:48:47 2025 -0500 - - Remove initramfs-tools support - -commit cd44a7e1369cd798b06595fdb118e0c7bea52194 -Author: Aaron Rainbolt -Date: Fri Aug 22 16:00:25 2025 -0500 - - Disable memlockd service by default, fix systemd path - -commit 28f44d2e1d54da990cf203d2965431bc12a5d008 -Author: Aaron Rainbolt -Date: Fri Aug 22 15:50:28 2025 -0500 - - Disable emerg-shutdown and ensure-shutdown on Qubes OS - -commit 53e930b4cc30a8857348758ab65d1a5687ed94a1 -Merge: df8a323d 5898a645 -Author: Aaron Rainbolt -Date: Thu Aug 21 20:09:48 2025 -0500 - - Merge branch 'master' into arraybolt3/trixie - -commit df8a323d03747858b55d905465c1f9415bbb8022 -Author: Aaron Rainbolt -Date: Thu Aug 21 18:39:28 2025 -0500 - - Fix XDG handling, replace Xfce with LXQt where appropriate, make USBGuard configuration work - -commit 5898a6457a99ab0036b3e62ded09eeb9cdd9522a -Author: Patrick Schleizer -Date: Thu Aug 21 06:45:04 2025 -0400 - - typo - -commit f713dceff42c6c79a5718ba69358d2fe66ad3245 -Merge: f6f4fd77 8cdbbf82 -Author: Patrick Schleizer -Date: Thu Aug 21 06:44:35 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8cdbbf8292c354224e2d22fad9087d9f542687e2 -Merge: 2baf5cfc e48897cc -Author: Patrick Schleizer -Date: Thu Aug 21 06:43:07 2025 -0400 - - Merge pull request #313 from raja-grewal/panic_limits - - Upgrade `sysctl` settings and docs on kernel panics - -commit 2baf5cfc0bf061b2cc772dfceadaef84a36d9c1e -Merge: f6f4fd77 45fcd163 -Author: Patrick Schleizer -Date: Thu Aug 21 06:42:28 2025 -0400 - - Merge pull request #314 from raja-grewal/trixie_docs - - Update documentation - -commit f6f4fd77e5bd3a7a7d00c33543fc4ce5a685a3d1 -Merge: 81d437fe 7f211209 -Author: Patrick Schleizer -Date: Thu Aug 21 06:40:39 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 7f211209f7942a332e0568a60eba8a78f3a8a15b -Merge: 81d437fe 19b7e4b4 -Author: Patrick Schleizer -Date: Thu Aug 21 06:40:11 2025 -0400 - - Merge pull request #311 from nrz-21/master - - Set soft limit for core dumps to 0 - -commit 19b7e4b4d0b625b8505de122e790a14de63fafdf -Author: Patrick Schleizer -Date: Thu Aug 21 06:39:56 2025 -0400 - - newline - -commit 3229dd8967d15edc6066ab6148df4738774f36b0 -Merge: 8dcd3493 81d437fe -Author: Patrick Schleizer -Date: Thu Aug 21 06:39:13 2025 -0400 - - Merge branch 'master' into master - -commit 81d437fe3efca99b0d1a29b2a1a3e486e91716c1 -Author: Patrick Schleizer -Date: Wed Aug 20 21:40:39 2025 -0400 - - fix - -commit e48897cc44eef10779a28bdadc7e7bbfe007064a -Merge: add05493 c2d5bf38 -Author: raja-grewal -Date: Thu Aug 21 10:27:44 2025 +1000 - - Merge branch 'master' into panic_limits - -commit add054933b69e97e0f856d7cf04d88290d4b1b7c -Author: raja-grewal -Date: Thu Aug 21 00:24:28 2025 +0000 - - Update docs on instant reboot when kernel panic - -commit c2d5bf38f539703c4858818f29d73b21d5776c80 -Author: Patrick Schleizer -Date: Wed Aug 20 10:44:10 2025 -0400 - - comment - -commit 812f05f847de0f1cb5586ccfd4c5b684d507dd46 -Author: Patrick Schleizer -Date: Wed Aug 20 10:11:49 2025 -0400 - - comments - -commit 2b876c74a3ed9ec91954c8d4f776dc803d212fd0 -Author: Patrick Schleizer -Date: Wed Aug 20 10:09:10 2025 -0400 - - readme - -commit 0e4664daa0267fe62888a9559db2b14d5e1ae8ea -Author: Patrick Schleizer -Date: Wed Aug 20 10:07:58 2025 -0400 - - cleanup - -commit 31fd316e72a87323f83e7e63d6a3440bf77cb350 -Author: Patrick Schleizer -Date: Wed Aug 20 09:48:20 2025 -0400 - - comments - -commit 5d67277c9f27a54d373e683a1d4e1ddf8c16ac25 -Author: Patrick Schleizer -Date: Wed Aug 20 09:46:43 2025 -0400 - - comments - -commit f77c71dd15b38db6f1c33602dd0c5623e501c3eb -Merge: e15bdd2d 37c0bc0c -Author: Patrick Schleizer -Date: Wed Aug 20 09:44:37 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' - -commit e15bdd2de513fbdcdb3b0fed4c1c1c5f74652291 -Author: Patrick Schleizer -Date: Wed Aug 20 06:57:29 2025 -0400 - - bumped Standards-Version - -commit 312586307b2999d46e4673079fb1538f76ff329e -Author: Patrick Schleizer -Date: Wed Aug 20 06:25:35 2025 -0400 - - readme - -commit a4710693783b8817a6a5c9f17b4268b654c4c0c9 -Author: raja-grewal -Date: Tue Aug 19 11:03:05 2025 +1000 - - Remove link - -commit c0ad57779342c138ade0d6ddff0898f75411157a -Author: raja-grewal -Date: Tue Aug 19 11:01:06 2025 +1000 - - Update docs on oops boot parameter - -commit 45fcd163d1422b43ec033166c889a237301ad83d -Author: raja-grewal -Date: Mon Aug 18 20:23:50 2025 +1000 - - Add reference on conntrack helpers - -commit 37c0bc0c5ddfb901d016f8a4edae16840a58f1fa -Merge: b5a36e02 f175d196 -Author: Aaron Rainbolt -Date: Sun Aug 17 14:02:01 2025 -0500 - - Merge remote-tracking branch 'raja/block_32bit' into arraybolt3/trixie - -commit b5a36e02f1be901da1695056877471398deedf1e -Merge: 210aa976 6df3e3cd -Author: Aaron Rainbolt -Date: Sun Aug 17 13:52:01 2025 -0500 - - Merge remote-tracking branch 'raja/panic_limits' into arraybolt3/trixie - -commit 210aa97650b760acb207f29b1e99e1bb2e65e168 -Merge: 7a8dfa52 3de9cd56 -Author: Aaron Rainbolt -Date: Sun Aug 17 13:50:25 2025 -0500 - - Merge remote-tracking branch 'raja/trixie_docs' into arraybolt3/trixie - -commit f175d1961e4e028539f5a90c0db1fcd1f760cdba -Author: raja-grewal -Date: Sun Aug 17 07:08:08 2025 +0000 - - Enable `ia32_emulation=0` - -commit 3de9cd5646ad45fe745711b83f79f4d469fc8473 -Author: raja-grewal -Date: Sun Aug 17 07:06:55 2025 +0000 - - Remove whitespace - -commit e06b78a52225db02415aeafb833160c9ea0280d9 -Author: raja-grewal -Date: Sun Aug 17 07:05:32 2025 +0000 - - Temporarily revert IA32 doc updates - -commit 6df3e3cde8053d6b2771f510457da774336546bf -Author: raja-grewal -Date: Sun Aug 17 06:32:11 2025 +0000 - - Update kernel panic service description - -commit 247015bcc6e924e24874d16ed7ad78165ace58a3 -Author: raja-grewal -Date: Sun Aug 17 06:27:44 2025 +0000 - - Set `sysctl kernel.panic=-1` - -commit 7a8dfa528c629aa0023943dcd34025ef56a1b1e1 -Merge: cba16879 1f75426f -Author: Aaron Rainbolt -Date: Sat Aug 16 21:10:19 2025 -0500 - - Merge remote-tracking branch 'raja/trixie_docs' into arraybolt3/trixie - -commit 8dcd3493f851f78933f9dbf6d4e9f04f741bed5a -Author: nexus$ -Date: Sat Aug 16 09:39:42 2025 +0000 - - Update 30_security-misc.conf - -commit f1de0da69b46f91ea7fd34db601393d23599b3bb -Author: raja-grewal -Date: Sat Aug 16 04:01:12 2025 +0000 - - Clarify description on panics on oopses and warns - -commit c33f7d04e2cef477b675fbf6c2a91583ba3bf808 -Author: raja-grewal -Date: Sat Aug 16 03:32:48 2025 +0000 - - Remove duplicate comment - -commit 1f75426f079d6e0aecd8fac22088ad36a7c16398 -Author: raja-grewal -Date: Sat Aug 16 02:20:00 2025 +0000 - - Clarify docs for disabling 32-bit x86 support - -commit cba16879eff9d3d998c127e41c38d2067cdf04cc -Author: Aaron Rainbolt -Date: Fri Aug 15 17:16:42 2025 -0500 - - Polish USBGuard configuration - -commit b4086b8e779366127c22eb0a43d1b77fe534ef0e -Merge: 66ec5bda 4cae74d6 -Author: Aaron Rainbolt -Date: Fri Aug 15 16:57:34 2025 -0500 - - Merge remote-tracking branch 'monsieuremre/patch-3' into arraybolt3/trixie - -commit 66ec5bda5872bbf51eb480836d3ffb3bb2f934cf -Author: Aaron Rainbolt -Date: Fri Aug 15 16:51:07 2025 -0500 - - Remove obsolete Thunderbird configuration hardening - -commit 94668b2e93c37a3879968f455575c631f9f8bcac -Author: Aaron Rainbolt -Date: Fri Aug 15 16:46:35 2025 -0500 - - Set hard and soft limits on core file size at the same time - -commit e2c65a2a6fcb246cb5925394f00ec2d8401c2dda -Merge: 65afc31b 28ce7064 -Author: Aaron Rainbolt -Date: Fri Aug 15 16:45:18 2025 -0500 - - Merge remote-tracking branch 'nrz/master' into arraybolt3/trixie - -commit 65afc31ba7f8c5ee6dc14627de82a122b4992d21 -Merge: a2a9e844 00c660d4 -Author: Aaron Rainbolt -Date: Fri Aug 15 16:31:50 2025 -0500 - - Merge branch 'kcfi' into arraybolt3/trixie - -commit a2a9e8440b812b07546722f5842e3ddb16ee5bc2 -Merge: c33ea7be 4166d6d1 -Author: Aaron Rainbolt -Date: Fri Aug 15 16:06:35 2025 -0500 - - Merge branch 'trixie_docs' into arraybolt3/trixie - -commit 00c660d40dce06d979fc7b9dbf7a6e952a9e51cc -Author: raja-grewal -Date: Fri Aug 15 11:29:27 2025 +1000 - - Typo - -commit fce86dccb67db0a37601899bf3115bd9f4fa714a -Author: raja-grewal -Date: Wed Aug 13 10:44:40 2025 +1000 - - Typo - -commit c33ea7be6d2a82462042cf482a32bf259bf51bd5 -Author: Aaron Rainbolt -Date: Sun Aug 10 15:23:48 2025 -0500 - - Move security-misc/apt-get-update* to helper-scripts - -commit 51d5ba29df44d021cfeab1dea6f00919d246388e -Merge: 7aa38245 c7bdca32 -Author: Aaron Rainbolt -Date: Sun Aug 10 14:09:41 2025 -0500 - - Merge branch 'master' into arraybolt3/trixie - -commit c7bdca32c05ddc70b785a28ebe5be13614407dc8 -Author: Patrick Schleizer -Date: Sun Aug 10 06:34:30 2025 +0000 - - bumped changelog version - -commit 3629f2c3a59d44e265f0c66389435de1b2414998 -Merge: 5dc251c5 c59a3b23 -Author: Patrick Schleizer -Date: Sun Aug 10 02:25:48 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown' - -commit 7aa38245dedab28cce4c96fd9f533a60c9d05ac4 -Merge: 4930703b c59a3b23 -Author: Aaron Rainbolt -Date: Sat Aug 9 23:31:55 2025 -0500 - - Merge branch 'arraybolt3/emerg-shutdown' into arraybolt3/trixie - -commit c59a3b233bd8893d466c020a2e2695ab545c6e60 -Author: Aaron Rainbolt -Date: Sat Aug 9 21:55:03 2025 -0500 - - Fix unexpected shutdowns when booting Kicksecure from optical media - -commit 4930703b8c90766304122e6e74ccd29e87800714 -Merge: 2ada07cf 5dc251c5 -Author: Aaron Rainbolt -Date: Sat Aug 9 21:30:45 2025 -0500 - - Merge branch 'master' into arraybolt3/trixie - -commit 5dc251c5da724092d264481740e4f6ed347aa0a7 -Author: Patrick Schleizer -Date: Sat Aug 9 09:45:35 2025 +0000 - - bumped changelog version - -commit 046c932898290d250a7900e3c59973a698e5c55f -Author: Patrick Schleizer -Date: Sat Aug 9 05:40:11 2025 -0400 - - `disable emerg-shutdown.service`: - - Disabled due to bug: breaks ISO Live Mode Calamares installer - -commit 2ada07cf66727ea66283c55c0ba078489b3db94e -Author: Aaron Rainbolt -Date: Thu Aug 7 22:23:03 2025 -0500 - - Add SSH hardening config - -commit 0cc0a8310020afc10de6512095336e55559a84d9 -Author: Patrick Schleizer -Date: Thu Aug 7 07:08:19 2025 +0000 - - bumped changelog version - -commit 505a2b7d7995ad48a17add86513ced3499f64ee9 -Merge: 42941653 3a77abe5 -Author: Patrick Schleizer -Date: Thu Aug 7 03:08:02 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown' - -commit 5f2425ba6f747bf65b5beb4336d1e7bf6b8cdf71 -Merge: 86f44063 3a77abe5 -Author: Aaron Rainbolt -Date: Wed Aug 6 20:21:01 2025 -0500 - - Merge branch 'arraybolt3/emerg-shutdown' into arraybolt3/trixie - -commit 3a77abe5c9807caec530e69c41d5cf803b625e70 -Author: Aaron Rainbolt -Date: Wed Aug 6 20:05:57 2025 -0500 - - Port hardening options from kloak to emerg-shutdown, fix new compiler warnings - -commit 0c1af00aae50dba2983c3736744e0da320bb9330 -Author: Aaron Rainbolt -Date: Wed Aug 6 19:33:38 2025 -0500 - - Implement paranoid mode in emerg-shutdown - -commit 29480df770047c8ada3e993cf28f87ffbfd71dec -Author: Aaron Rainbolt -Date: Wed Aug 6 19:24:34 2025 -0500 - - Improve emerg-shutdown usage documentation - -commit 2a3bc39eba317d5f9b0e710dd3663c82d92add94 -Author: Aaron Rainbolt -Date: Wed Aug 6 19:10:37 2025 -0500 - - Use Ctrl+Alt+End as the default panic key rather than Ctrl+Alt+Delete - -commit 44e7d3059a5618991a1408f77707132bfea86fef -Author: Aaron Rainbolt -Date: Wed Aug 6 19:10:14 2025 -0500 - - Integrate emerg-shutdown into the initramfs - -commit 42941653621311187650f12e8d7aa39c45cb6984 -Author: Patrick Schleizer -Date: Wed Aug 6 08:27:15 2025 +0000 - - bumped changelog version - -commit 784ff8af3616765a9c22febf66b522376ecedf12 -Merge: c2690efc 5a17e67c -Author: Patrick Schleizer -Date: Wed Aug 6 04:26:37 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown' - -commit 4166d6d1e60d564be4c3fb2ad530e7a180638e6a -Author: raja-grewal -Date: Wed Aug 6 15:53:49 2025 +1000 - - Update docs on recovery restrictions - -commit 86f44063eb753fe1bbdd754ce104670d26aed6ca -Author: Aaron Rainbolt -Date: Tue Aug 5 22:58:06 2025 -0500 - - Port to Trixie. - -commit 498551536c71f1c1ac33f3c1992e18c9277e6618 -Author: raja-grewal -Date: Wed Aug 6 03:12:06 2025 +0000 - - Update docs - -commit 45d20dd972e6501237d35d1605c81d4e3fde43b1 -Author: raja-grewal -Date: Wed Aug 6 02:35:15 2025 +0000 - - Upgrade sysctls and docs on kernel panics - -commit 1f7525722e7027b5c3379460eee5f62669631dee -Author: raja-grewal -Date: Wed Aug 6 01:48:47 2025 +0000 - - Enable `cfi=kcfi` - -commit 5a17e67c0a7678300f6342d5c90ded5494ebc838 -Author: Aaron Rainbolt -Date: Tue Aug 5 20:14:07 2025 -0500 - - Fix local-fs.target dependency in emerg-shutdown.service - -commit c2690efcacbf7be7c57751ba1cee7f910d350cfc -Author: Patrick Schleizer -Date: Mon Aug 4 09:27:11 2025 +0000 - - bumped changelog version - -commit 166bc257b0b2eea87d684cc847bf6da1fba7c4b4 -Merge: d1bca020 63f29093 -Author: Patrick Schleizer -Date: Mon Aug 4 05:26:55 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown' - -commit 63f29093416a5f21ae14b398cf805c864b5541d7 -Author: Aaron Rainbolt -Date: Sun Aug 3 15:00:14 2025 -0500 - - Fix emerg-shutdown and ensure-shutdown libexec scripts, start emerg-shutdown and ensure-shutdown earlier - -commit d1bca0204fa1dac9ec3fb6e9b121af9526778181 -Author: Patrick Schleizer -Date: Sun Aug 3 11:33:03 2025 +0000 - - bumped changelog version - -commit 92bcd824e4af8a90a18a7726d4a5715c0b20e2ca -Author: Patrick Schleizer -Date: Sun Aug 3 07:17:25 2025 -0400 - - also parse /usr/local/etc - -commit 4da810c8fa4fd40b8701e7dfe217125d965ee03e -Author: Patrick Schleizer -Date: Sun Aug 3 07:16:00 2025 -0400 - - comment - -commit b9416fa77a1e8850c5f579314875671799a55c60 -Author: Patrick Schleizer -Date: Sun Aug 3 07:15:41 2025 -0400 - - validate configuration file - -commit 4ba029471e8c12d5691f7ee94897137fb3cbe15f -Merge: c1e76aa5 1a60da71 -Author: Patrick Schleizer -Date: Sun Aug 3 07:04:20 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/emerg-shutdown' - -commit 28ce70644147f637e91bd4941bcbc139d875e5e7 -Author: nexus$ -Date: Fri Aug 1 15:03:26 2025 +0000 - - Set soft limit for core dumps to 0 - -commit 1a60da71eddfcc6fb72a34596c770cd754146887 -Author: Aaron Rainbolt -Date: Tue Jul 29 21:16:51 2025 -0500 - - emerg-shutdown: Add shutdown timeout for preventing stuck shutdowns, briefly document feature set and usage - -commit e42078e90d7d7e5339a7c4682eb93c844fd38580 -Author: Aaron Rainbolt -Date: Mon Jul 28 20:42:14 2025 -0500 - - emerg-shutdown: fix the hang-on-shutdown bug, add autodetection of new keyboards, shutdown key configuration, and instant shutdown option - -commit a1d1c5603300106f06c1a798088521b77430ff95 -Merge: 5889d134 c1e76aa5 -Author: Aaron Rainbolt -Date: Sun Jul 27 21:43:43 2025 -0500 - - Merge branch 'master' into arraybolt3/emerg-shutdown - -commit c1e76aa52cd28f38c1ab6550e0f4de0010a9ea14 -Author: Patrick Schleizer -Date: Mon Jul 21 10:00:25 2025 +0000 - - bumped changelog version - -commit 36114e29a2ce1045b5f5d82372fcf0463efc5ca7 -Merge: e3ce9c38 f851886f -Author: Patrick Schleizer -Date: Mon Jul 21 06:00:11 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit f851886ffd0fc82ba0b0add501964d1c812c6c15 -Merge: e3ce9c38 6f9763f5 -Author: Patrick Schleizer -Date: Mon Jul 21 05:58:44 2025 -0400 - - Merge pull request #310 from raja-grewal/its - - Enable `indirect_target_selection=force` - -commit 5889d134a23b3d4f8db5d81171ea12907bb10d4d -Author: Aaron Rainbolt -Date: Sun Jul 20 14:14:09 2025 -0500 - - emerg-shutdow: Improve recvmsg handling, call reboot syscall directly - -commit 6f9763f525097b8f8ad5f9864c1694a2642e1bd6 -Author: raja-grewal -Date: Sat Jul 19 05:19:27 2025 +0000 - - Enable `indirect_target_selection=force` - -commit b745c8ddae74d5e1684919442fa74d64e95263b8 -Author: Aaron Rainbolt -Date: Mon Jul 14 21:51:52 2025 -0500 - - emerg-shutdown: Enable actual shutdown code, fix infinite loop when started too early - -commit e387086de4b6e6b90b23d4c32ddf8a566beb858c -Author: Aaron Rainbolt -Date: Mon Jul 14 21:05:16 2025 -0500 - - Allow specifying alternative keys in panic key combo, fix optical disk eject handling - -commit dfb6f143f0324d0903ae2dd106bc0fb6907c1cb0 -Author: Aaron Rainbolt -Date: Sun Jul 13 20:53:29 2025 -0500 - - Add panic key handling to emergency shutdown utility - -commit 2a7071055f94f984398fe2ec49c32b206913bea2 -Merge: f3d46ee5 e3ce9c38 -Author: Aaron Rainbolt -Date: Sun Jul 13 15:21:34 2025 -0500 - - Merge branch 'master' into arraybolt3/emerg-shutdown - -commit e3ce9c38c5b241f789945de7229c0ee15fa0a266 -Author: Patrick Schleizer -Date: Wed Jul 2 20:52:17 2025 +0000 - - bumped changelog version - -commit b06fb5428051518390439ce95c9d6894e6338951 -Merge: 115b6f6a 468cf40e -Author: Patrick Schleizer -Date: Wed Jul 2 13:47:12 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 468cf40e2a216625d02066b609b0991e37c50ebc -Merge: 865a052b bb208fb1 -Author: Patrick Schleizer -Date: Wed Jul 2 13:45:28 2025 -0400 - - Merge pull request #306 from raja-grewal/erst - - Set `erst_disable` - -commit 865a052bf47f28c0084b2bbd51e3c606df9eda96 -Merge: 115b6f6a e3c45191 -Author: Patrick Schleizer -Date: Wed Jul 2 13:44:17 2025 -0400 - - Merge pull request #309 from RebornRider/patch-1 - - remove TemporaryTimeout=0 in Bluetooth config - -commit bb208fb134fe25fc3539494f331072a851369064 -Merge: 4314b1e8 115b6f6a -Author: raja-grewal -Date: Wed Jul 2 11:35:50 2025 +1000 - - Merge branch 'Kicksecure:master' into erst - -commit 4314b1e85bd5495832b4398bdbd358c41703dcc9 -Author: raja-grewal -Date: Tue Jul 1 13:36:39 2025 +1000 - - Add comment - -commit e3c451917931aa4e63056fb03470c203694d399f -Author: Kevin Agwaze <7119346+RebornRider@users.noreply.github.com> -Date: Mon Jun 16 10:35:16 2025 +0100 - - remove misleading TemporaryTimeout=0 in Bluetooth config - -commit 115b6f6aa2a4d00ad5690c2c0889e142540c01ca -Author: Patrick Schleizer -Date: Sat Jun 14 11:51:44 2025 +0000 - - bumped changelog version - -commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264 -Merge: 5159de63 109c0134 -Author: Patrick Schleizer -Date: Fri Jun 13 15:09:52 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx' - -commit 109c0134677d991c449aa009773cb22babeee8db -Author: Aaron Rainbolt -Date: Thu Jun 12 01:08:34 2025 -0500 - - Add comment related to approx package caching proxy - -commit 72613203b9692d1098b13ff98119499a5a30a6da -Author: raja-grewal -Date: Fri Jun 6 13:07:52 2025 +0000 - - Add reference - -commit dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02 -Author: raja-grewal -Date: Tue Jun 3 12:32:17 2025 +1000 - - Add reference - -commit 5159de63438e8c1274658e7175a80fb693d6554a -Author: Patrick Schleizer -Date: Wed May 28 13:48:11 2025 +0000 - - bumped changelog version - -commit 3e102df76583a14b5efc18238aefbf539ab0d8a1 -Author: Patrick Schleizer -Date: Wed May 28 08:37:03 2025 -0400 - - fix - -commit d5edc243ac2db861f1600d3906a02494eaf9a824 -Author: Patrick Schleizer -Date: Wed May 28 12:12:00 2025 +0000 - - bumped changelog version - -commit eda1d0aef640af1ea73c72d6caa876733de4e5a0 -Merge: e9667748 5a10ad03 -Author: Patrick Schleizer -Date: Wed May 28 07:22:16 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa -Merge: e9667748 3559bc86 -Author: Patrick Schleizer -Date: Wed May 28 07:21:31 2025 -0400 - - Merge pull request #307 from maybebyte/ssh-agent-to-allowlist - - fix(permission-hardener): ssh-agent gets 2755 perms - -commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 -Author: Ashlen -Date: Tue May 27 15:32:41 2025 -0600 - - fix(permission-hardener): ssh-agent gets 2755 perms - - Change from exactwhitelist to matchwhitelist. Discussion revealed that - there's a good reason to leave setgid in here, which is essentially - defense-in-depth (sometimes users may want to revert Kicksecure's - default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and - Kicksecure should not be less secure than vanilla Debian in that - situation). - -commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90 -Merge: 017ee29e e9667748 -Author: maybebyte <99762926+maybebyte@users.noreply.github.com> -Date: Tue May 27 20:33:07 2025 +0000 - - Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist - -commit e96677486201ebddc145af7962ad5e89f6fa253b -Author: Patrick Schleizer -Date: Tue May 27 19:41:25 2025 +0000 - - bumped changelog version - -commit 017ee29eb39d84edc89f128a633a619cad852241 -Merge: 7a079c3d abb22073 -Author: maybebyte <99762926+maybebyte@users.noreply.github.com> -Date: Tue May 27 18:25:47 2025 +0000 - - Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist - -commit 5195977be474e29a29b6392306e909e9f2d05ada -Author: Patrick Schleizer -Date: Tue May 27 11:57:21 2025 -0400 - - protect against grep pipefail - -commit abb2207313810966dad381c3a9f637c445a5834d -Author: Patrick Schleizer -Date: Tue May 27 15:51:50 2025 +0000 - - bumped changelog version - -commit 45016146f7c77d383f2254d19dc66ba9b883b8f2 -Merge: ace45d7c 395169fb -Author: Patrick Schleizer -Date: Tue May 27 11:03:23 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff -Merge: ace45d7c e14b81b1 -Author: Patrick Schleizer -Date: Tue May 27 10:58:50 2025 -0400 - - Merge pull request #308 from maybebyte/permission-hardener-speedboost - - perf(permission-hardener): optimize string match - -commit 1c353032046f556bb11c32506019310c9f6d47c0 -Merge: 35fa32e4 ace45d7c -Author: raja-grewal -Date: Fri May 23 20:20:19 2025 +1000 - - Merge branch 'Kicksecure:master' into erst - -commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10 -Author: Patrick Schleizer -Date: Wed May 21 22:06:02 2025 +0000 - - bumped changelog version - -commit 142ea2118989faddafa17db48efed379c4ac3f45 -Author: Patrick Schleizer -Date: Wed May 21 12:42:16 2025 -0400 - - fix - -commit a969fa350e28ca296966509821a7c62b68f09a5a -Author: Patrick Schleizer -Date: Wed May 21 12:40:27 2025 -0400 - - fix - -commit f023651c984c52a997bc241f99f118255cf60809 -Author: Patrick Schleizer -Date: Wed May 21 12:35:37 2025 -0400 - - nounset - -commit f086787464191a07e028dd92649c48b145023858 -Author: Patrick Schleizer -Date: Wed May 21 12:35:23 2025 -0400 - - fix - -commit d7643954d184846c8b7fb5eda7200779126274eb -Author: Patrick Schleizer -Date: Wed May 21 12:33:50 2025 -0400 - - minor - -commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918 -Author: Patrick Schleizer -Date: Wed May 21 12:32:16 2025 -0400 - - further validation of output of `faillock` - -commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb -Author: Patrick Schleizer -Date: Wed May 21 12:29:01 2025 -0400 - - fix - -commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4 -Author: Patrick Schleizer -Date: Wed May 21 12:26:46 2025 -0400 - - output - -commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b -Author: Patrick Schleizer -Date: Wed May 21 12:25:49 2025 -0400 - - output - -commit ef8515ba82996b137c386eeb91e6f853d58a515f -Author: Patrick Schleizer -Date: Wed May 21 12:23:45 2025 -0400 - - improve error handling - -commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84 -Author: Patrick Schleizer -Date: Wed May 21 12:21:45 2025 -0400 - - fix - -commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d -Author: Patrick Schleizer -Date: Wed May 21 15:52:16 2025 +0000 - - bumped changelog version - -commit e1bae1c68aabc424924b6386fe4980d657dc2cdf -Author: Patrick Schleizer -Date: Wed May 21 11:50:59 2025 -0400 - - fix - -commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff -Author: Patrick Schleizer -Date: Wed May 21 13:58:18 2025 +0000 - - bumped changelog version - -commit 14cf205579ff65fa765d7574e5d0e301a30a1904 -Author: Patrick Schleizer -Date: Wed May 21 08:36:16 2025 -0400 - - fix - -commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf -Author: Patrick Schleizer -Date: Wed May 21 11:23:39 2025 +0000 - - bumped changelog version - -commit 353b6e83c55d52b47a2a35063406324cec7237c4 -Author: Patrick Schleizer -Date: Wed May 21 07:20:13 2025 -0400 - - test that `wc` is functional - - https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 - -commit 5930e270521e0e5d6a0a3877c813accbf5253051 -Author: Patrick Schleizer -Date: Wed May 21 07:05:25 2025 -0400 - - pam-info: improve error handling - - https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 - -commit 5c981e0891ef009c5c2355f5f6383aca22c45638 -Author: Patrick Schleizer -Date: Wed May 21 06:55:09 2025 -0400 - - pam-info: fix, consistently write errors and warnings to stderr - -commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 -Author: Ashlen -Date: Tue May 20 21:34:03 2025 -0600 - - perf(permission-hardener): optimize string match - - Replace subprocess grep calls with bash substring matching in - check_nosuid_whitelist function. This eliminates ~10k unneeded - subprocess spawns that were causing significant performance - degradation. - - In testing, it improves overall script execution speed by an - order of magnitude: - - Before patch: - $ sudo hyperfine -- './permission-hardener enable' - Benchmark 1: ./permission-hardener enable - Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s] - Range (min … max): 10.430 s … 14.090 s 10 runs - - After patch: - $ sudo hyperfine -- './permission-hardener enable' - Benchmark 1: ./permission-hardener enable - Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] - Range (min … max): 639.4 ms … 1092.3 ms 10 runs - -commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 -Author: Ashlen -Date: Tue May 20 18:41:48 2025 -0600 - - fix(permission-hardener): add exactwhitelist here - - Without this, the permissions for ssh-agent won't be changed properly. - -commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb -Author: Ashlen -Date: Tue May 20 17:07:51 2025 -0600 - - fix(permission-hardener): ssh-agent gets 755 perms - - Replace the commented-out matchwhitelist entry for ssh-agent with an - explicit permission entry (755) for /usr/bin/ssh-agent. - - When ssh-agent's matchwhitelist entry was commented out in commit - 7a5f8b87af, permission-hardener began resetting it to restrictive - defaults (744), preventing non-root users from executing ssh-agent. This - broke split SSH functionality in Qubes OS for me because I was using - Kicksecure in the vault qube, and ssh-agent runs under a non-root user in - that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). - - As noted in the comment, Debian installs with 2755 permissions as a way - to mitigate ptrace attacks, but this rationale doesn't apply due to - kernel.yama.ptrace_scope=2 being set in Kicksecure. - -commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 -Author: Patrick Schleizer -Date: Tue May 20 11:40:27 2025 +0000 - - bumped changelog version - -commit 405880e63b92319626332d083a6c5ad5101dbf77 -Author: Patrick Schleizer -Date: Sun May 18 06:44:42 2025 -0400 - - handle case of non-existence of /proc/cmdline - -commit 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e -Author: Patrick Schleizer -Date: Sun May 18 06:44:04 2025 -0400 - - refactoring - -commit 601ea77b005d18b57a85e0701f3981edd61b7881 -Author: Patrick Schleizer -Date: Sun May 18 06:42:39 2025 -0400 - - end-of-options - -commit d8feca12768441b0499ead7cc9f9bce4e89b1edf -Author: Patrick Schleizer -Date: Sun May 18 06:41:41 2025 -0400 - - printf - -commit 7f2ba0980d17360fc014c6a412fc4ee57e1032fd -Author: Patrick Schleizer -Date: Sun May 18 06:40:50 2025 -0400 - - refactoring - -commit 4d1f8c44d28895587abce586ed5b2fe354544f6a -Merge: 341dce33 e4787508 -Author: Patrick Schleizer -Date: Sun May 18 06:36:08 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e478750814798f3d9aa60354b6cecbb84769ed53 -Merge: 341dce33 91a76db6 -Author: Patrick Schleizer -Date: Sun May 18 06:35:23 2025 -0400 - - Merge pull request #305 from DMHalford/pam-info-failed_login_counter-fix - - Prevent erroneous "Login blocked after [negative number] attempts" errors - -commit 35fa32e4ed6333f3ab87d09828f13155aa1e7a72 -Author: raja-grewal -Date: Sat May 17 15:06:49 2025 +1000 - - Reword - -commit a1bde21ccb475fc21a084559dbe766f6315d9287 -Author: raja-grewal -Date: Sat May 17 04:41:06 2025 +0000 - - Set `erst_disable` - -commit 91a76db66bb496ba4650ada38df31636297738cf -Author: DMHalford <161769419+DMHalford@users.noreply.github.com> -Date: Thu May 15 15:42:50 2025 -0400 - - Prevent erroneous "Login blocked after [negative number] attempts" errors - - For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. - - This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. - - This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. - - * Only rudimentary local tests were conducted - -commit 6c3be9ced071e73e78451c82e8def9c5a5b02598 -Author: DMHalford <161769419+DMHalford@users.noreply.github.com> -Date: Thu May 15 15:06:10 2025 -0400 - - Prevent erroneous "Login blocked after [negative number] attempts" errors - - For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. - - This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. - - This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. - - * Only rudimentary tests were conducted - -commit f3d46ee56233c4ef0552c20304413d137e90acfe -Author: Aaron Rainbolt -Date: Fri May 9 18:46:41 2025 -0500 - - Add emergency shutdown feature, triggered by root device removal - -commit 341dce33fb806ab03822470e6af91604662c22dd -Author: Patrick Schleizer -Date: Fri Apr 25 09:54:23 2025 +0000 - - bumped changelog version - -commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 -Author: Patrick Schleizer -Date: Fri Apr 25 05:51:21 2025 -0400 - - comments - -commit ba1012ca8767baf34ed762d80b25b03bb70e6765 -Author: Patrick Schleizer -Date: Fri Apr 25 08:19:35 2025 +0000 - - bumped changelog version - -commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 -Author: Patrick Schleizer -Date: Fri Apr 25 03:11:27 2025 -0400 - - output - -commit 1d14a9f32435b8131c251e03bff2af5c929bbf49 -Merge: e154d0af 612f5f92 -Author: Patrick Schleizer -Date: Fri Apr 25 02:59:09 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/fix-pkexec-umask' - -commit 612f5f92fde236b86928428fd0247c8e971b0460 -Author: Aaron Rainbolt -Date: Thu Apr 24 20:01:35 2025 -0500 - - Fix umask for pkexec-run commands - -commit e154d0af6dd41e392122fbe3d09219734c5ad588 -Author: Patrick Schleizer -Date: Mon Apr 21 10:21:54 2025 +0000 - - bumped changelog version - -commit 4bf0e3a63667c284d053e5b8517440a884a42441 -Author: Patrick Schleizer -Date: Mon Apr 21 04:57:07 2025 -0400 - - comments - -commit 502f5953c734346edc680a0b898b435e6c6f6e27 -Author: Patrick Schleizer -Date: Mon Apr 21 04:55:19 2025 -0400 - - comments - -commit abb0c83619b820b7b66258efa9e141850eaa8b6c -Author: Patrick Schleizer -Date: Mon Apr 21 04:54:06 2025 -0400 - - comments - -commit efa2967fca36c776d43419dd5bf12696bc61c426 -Author: Patrick Schleizer -Date: Mon Apr 21 04:53:04 2025 -0400 - - comments - -commit dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 -Author: Patrick Schleizer -Date: Sat Apr 19 17:33:56 2025 +0000 - - bumped changelog version - -commit 9948ae114d4c6bbd650022c9985137c0fdea5675 -Author: Patrick Schleizer -Date: Sat Apr 19 13:24:17 2025 -0400 - - fix - -commit 4aca622706f33e85832e67650259a7751ba87a72 -Author: Patrick Schleizer -Date: Sat Apr 19 13:23:26 2025 -0400 - - fix - -commit 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a -Author: Patrick Schleizer -Date: Sat Apr 19 13:20:04 2025 -0400 - - output - -commit a670c0d873eba8d84bde90ebbeecc7aecc22349e -Author: Patrick Schleizer -Date: Sat Apr 19 13:18:23 2025 -0400 - - comment - -commit 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db -Author: Patrick Schleizer -Date: Sat Apr 19 13:17:28 2025 -0400 - - make `/usr/libexec/security-misc/apt-get-update` more reliable - -commit c4f0e1d16f6999b055b0fa310456870f12a6dbea -Author: Patrick Schleizer -Date: Sat Apr 19 12:57:14 2025 -0400 - - refactoring - -commit 81634930fa13a240b9fff9a878dd84af1dccc6b3 -Author: Patrick Schleizer -Date: Sat Apr 19 12:55:32 2025 -0400 - - refactoring - -commit 90330a1ec958f82f9322ecc62bcfb7169d641af4 -Author: Patrick Schleizer -Date: Sat Apr 19 12:49:18 2025 -0400 - - refactoring - -commit ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 -Author: Patrick Schleizer -Date: Sat Apr 19 12:47:40 2025 -0400 - - /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` - - to avoid permission issues - -commit 96ff7c8dc67809a3199d0b7f22d9e50483634a9c -Author: Patrick Schleizer -Date: Sat Apr 19 12:45:06 2025 -0400 - - refactoring - -commit 5a37790e6bd80ffd4f74d9596523ef72366d35d9 -Author: Patrick Schleizer -Date: Sat Apr 19 12:43:15 2025 -0400 - - cleanup - -commit 7512aa67572c97267fd176e63ae4862b6d37f8ae -Author: Patrick Schleizer -Date: Tue Apr 15 20:59:37 2025 +0000 - - bumped changelog version - -commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe -Merge: 5e88dfe8 9f2836d2 -Author: Patrick Schleizer -Date: Tue Apr 15 15:27:10 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 9f2836d2baae900222cbae74d7a32bcdc69e589f -Merge: 5e88dfe8 aa0ffff4 -Author: Patrick Schleizer -Date: Tue Apr 15 15:17:25 2025 -0400 - - Merge pull request #304 from raja-grewal/stop_pstore - - Disable PStore - -commit 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 -Author: Patrick Schleizer -Date: Thu Apr 10 11:38:17 2025 +0000 - - bumped changelog version - -commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 -Merge: da9dd3c3 74ca63d1 -Author: Patrick Schleizer -Date: Thu Apr 10 06:07:55 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/rename-boot-modes' - -commit 74ca63d12c716017d022f5dfc5348ae7b787e220 -Author: Aaron Rainbolt -Date: Wed Apr 9 21:01:41 2025 -0500 - - Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" - -commit aa0ffff42753f68e67bc92680a22986a5b9ef9e0 -Author: raja-grewal -Date: Thu Apr 10 11:49:45 2025 +1000 - - README.md: Revert error - -commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e -Author: Patrick Schleizer -Date: Wed Apr 9 15:16:00 2025 +0000 - - bumped changelog version - -commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d -Author: Patrick Schleizer -Date: Wed Apr 9 09:47:52 2025 -0400 - - newline at the end - -commit 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 -Author: Patrick Schleizer -Date: Tue Apr 8 14:08:24 2025 +0000 - - bumped changelog version - -commit 39f4f5b60739c387f02970018e14f1ae93677e00 -Author: Patrick Schleizer -Date: Tue Apr 8 06:53:08 2025 -0400 - - comments - -commit 173606891ad0c064a22b4ec0aee772105d8be54a -Author: Patrick Schleizer -Date: Tue Apr 8 06:48:29 2025 -0400 - - output - -commit f0d17c7e4134d8a54ce7331c1e9d3ce932278987 -Author: raja-grewal -Date: Sun Mar 16 03:31:24 2025 +0000 - - README: Fix a few links - -commit df2fc2cf6b0437d23c7641118ebd24d2e3a670ce -Author: raja-grewal -Date: Sun Mar 16 03:30:04 2025 +0000 - - Set `efi_pstore.pstore_disable=1` - -commit f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df -Author: raja-grewal -Date: Sun Mar 16 03:28:39 2025 +0000 - - Disable pstore processing by systemd-pstore service - -commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb -Author: Patrick Schleizer -Date: Mon Mar 3 11:00:38 2025 +0000 - - bumped changelog version - -commit cd0ba94ac5e7e8360183ac6f440d941b4067025b -Author: Patrick Schleizer -Date: Mon Mar 3 05:57:59 2025 -0500 - - no longer disable `vivid` kernel module by default, - because it breaks Qubes Video Companion - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 - - fixes https://github.com/Kicksecure/security-misc/issues/298 - -commit 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c -Author: Patrick Schleizer -Date: Sun Feb 9 23:04:36 2025 +0000 - - bumped changelog version - -commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc -Merge: 2a4a228b 4d62ee3a -Author: Patrick Schleizer -Date: Sun Feb 9 18:01:43 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 4d62ee3ab31bde80eebde265c2513233f10f751a -Merge: 2a4a228b ce4b57d1 -Author: Patrick Schleizer -Date: Sun Feb 9 18:00:59 2025 -0500 - - Merge pull request #297 from raja-grewal/warn_path - - Update docs on kernel panics - -commit ce4b57d1cb179f18c1ac41681626d01054355fe6 -Author: raja-grewal -Date: Mon Feb 3 00:31:45 2025 +0000 - - Update docs on kernel panics - -commit 2a4a228b150e06c7ff796315719d41e825dd8ad3 -Author: Patrick Schleizer -Date: Fri Jan 31 19:38:42 2025 +0000 - - bumped changelog version - -commit 041caf286b343268e6db69f2957f23c1dd20812a -Author: Patrick Schleizer -Date: Fri Jan 31 14:33:54 2025 -0500 - - update pkg_installed function - -commit ac1493fcfc194b8d1a680d7e8bf53a90caa984ac -Author: Patrick Schleizer -Date: Fri Jan 31 14:33:17 2025 -0500 - - comment - -commit c0f2f110146410428fc12815b30aaba67ff16126 -Author: Patrick Schleizer -Date: Thu Jan 30 12:58:48 2025 +0000 - - bumped changelog version - -commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d -Author: Patrick Schleizer -Date: Thu Jan 30 07:53:04 2025 -0500 - - LC_ALL=C - -commit 7c150d116d1d1f95e2fb729934906eb4391a389a -Author: Patrick Schleizer -Date: Thu Jan 30 07:45:08 2025 -0500 - - LANG=C str_replace: no longer requires LANG=C, therefore removed - -commit 6aaf7082177fe4d02415aac4317cde74665f495c -Author: Patrick Schleizer -Date: Wed Jan 29 14:36:41 2025 +0000 - - bumped changelog version - -commit 10508cb5801c28f8fff306957e867a1626aa6489 -Merge: 6b4fa1ef b9dee263 -Author: Patrick Schleizer -Date: Wed Jan 29 09:36:28 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b9dee2633128577245763bad41cf3cb6b49751f3 -Merge: 6b4fa1ef 4b1e5306 -Author: Patrick Schleizer -Date: Wed Jan 29 09:35:50 2025 -0500 - - Merge pull request #296 from raja-grewal/cpu_details - - Hardware-related Documentation - -commit 6b4fa1ef0055d36a45d65481129dabfee77027e4 -Author: Patrick Schleizer -Date: Thu Jan 23 16:28:58 2025 +0000 - - bumped changelog version - -commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 -Author: Patrick Schleizer -Date: Thu Jan 23 11:12:26 2025 -0500 - - copyright - -commit 3c18734db32b2d19c3a30e282435f083d307d86e -Author: Patrick Schleizer -Date: Wed Jan 22 14:11:21 2025 +0000 - - bumped changelog version - -commit f90ffacac3d3c12f62f62106a69cb6caeca69041 -Author: Patrick Schleizer -Date: Wed Jan 22 09:09:56 2025 -0500 - - bump permission hardner migration code version - -commit 3a056c9d9c17ed3968f48ac332cee94f714320c7 -Author: Patrick Schleizer -Date: Wed Jan 22 09:05:50 2025 -0500 - - bump permission hardner migration code version - -commit d5ad29a7324dfbece3185026a3f4c58121c453b6 -Author: Patrick Schleizer -Date: Wed Jan 22 09:04:44 2025 -0500 - - add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file - -commit c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 -Author: Patrick Schleizer -Date: Wed Jan 22 13:52:29 2025 +0000 - - bumped changelog version - -commit 80bd314436b99b723359f25e52bbd14683929b56 -Author: Patrick Schleizer -Date: Wed Jan 22 08:25:14 2025 -0500 - - add `.whonix` files to hardcoded files - -commit 9b012bdeee03e73de537e7fe65c0bb8d16b38e79 -Merge: 507130a1 42f34f5a -Author: Patrick Schleizer -Date: Wed Jan 22 08:23:49 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-symlink-fix' - -commit 507130a1cc0592bd4a4b280da7496dade470e637 -Merge: f1b6bff3 ed767e00 -Author: Patrick Schleizer -Date: Wed Jan 22 08:21:39 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-diag' - -commit 42f34f5a4ccf95d504e28a26aeb0747fef4685ba -Author: Aaron Rainbolt -Date: Tue Jan 21 21:49:03 2025 -0600 - - Don't handle files with multiple hardlinks - -commit 5e60416c864a7d06f635161a185864fc36d5685c -Author: Aaron Rainbolt -Date: Tue Jan 21 21:05:03 2025 -0600 - - Make permission-hardener always apply changes to real files, not symlinks - -commit ed767e00b0260d29c18c710efe07d68a9beffb34 -Author: Aaron Rainbolt -Date: Tue Jan 21 16:41:30 2025 -0600 - - Add some local variable declarations - -commit 4b1e530674146d4d2b62ff4a87fe3add5667403c -Author: raja-grewal -Date: Tue Jan 21 12:39:06 2025 +0000 - - README.md: List CPU mitigations - -commit 15d13a8571d1f38b2bc36387f61bce24c86be97b -Author: raja-grewal -Date: Tue Jan 21 12:36:04 2025 +0000 - - Add info on DBX updates via the UEFI Revocation List - -commit a97620a2e491cc039adb15af94958f26b39319a2 -Author: Aaron Rainbolt -Date: Mon Jan 20 22:43:55 2025 -0600 - - Add print-diagnostics command to permission-hardener - -commit f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c -Author: Patrick Schleizer -Date: Mon Jan 20 11:35:08 2025 +0000 - - bumped changelog version - -commit df9d058ed9635b168508ded20277c174a24cf3f5 -Author: Patrick Schleizer -Date: Mon Jan 20 06:28:16 2025 -0500 - - usrmerge - -commit 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 -Author: Patrick Schleizer -Date: Mon Jan 20 10:11:43 2025 +0000 - - bumped changelog version - -commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 -Author: Patrick Schleizer -Date: Mon Jan 20 04:30:26 2025 -0500 - - delete comment only configuration file (moved to user-sysmaint-split) - -commit 1b4d1edfc316f125ff5039bf17897802205750e2 -Author: Patrick Schleizer -Date: Mon Jan 20 04:29:42 2025 -0500 - - comments - -commit 51c7010e8f47ce6e6a28e6267c735e897dcfb053 -Author: Patrick Schleizer -Date: Fri Jan 17 13:35:28 2025 +0000 - - bumped changelog version - -commit 876d596a071ac916f7d220ee2449358aedba7efe -Author: Patrick Schleizer -Date: Fri Jan 17 07:55:54 2025 -0500 - - comment - -commit c9e2f82bd01813682998c775f75bac0841239e5e -Merge: 59718697 bf73f1f2 -Author: Patrick Schleizer -Date: Fri Jan 17 07:53:59 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/master' - -commit bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb -Author: Aaron Rainbolt -Date: Wed Jan 15 19:10:41 2025 -0600 - - Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst - -commit 597186972e463ce7a0b44662f7656f351ddf1030 -Author: Patrick Schleizer -Date: Wed Jan 15 15:02:44 2025 +0000 - - bumped changelog version - -commit ca257164105c4f66576024b64c52a42921455d16 -Author: Patrick Schleizer -Date: Wed Jan 15 09:44:48 2025 -0500 - - improve permission hardener migration code - -commit 2dfd30a44ae332faa50bc4920486cdd9480c7e5d -Merge: a84d3ba7 328f7471 -Author: Patrick Schleizer -Date: Wed Jan 15 09:33:57 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener' - -commit 328f747179ffb2e7705a73bc9a0c5133a17da829 -Author: Aaron Rainbolt -Date: Tue Jan 14 20:35:28 2025 -0600 - - Restore permission-hardener's notice about how to compare old and new states - -commit c6f09748f383fdf7c1b07441c73477b3f18d2768 -Author: Aaron Rainbolt -Date: Tue Jan 14 20:27:53 2025 -0600 - - Handle de-corruption of new_mode a bit better - -commit a0f81958dfb020d311d86cbd00d4f86f678d8be9 -Author: Aaron Rainbolt -Date: Tue Jan 14 19:25:15 2025 -0600 - - De-corrupt the new_mode permission-hardener statoverride database too - -commit 396372c1295e2a09d596f3e23fccc26794a26f05 -Author: Aaron Rainbolt -Date: Tue Jan 14 18:50:24 2025 -0600 - - Avoid scanning unnecessary packages for modified permission-hardener config - -commit a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 -Author: Patrick Schleizer -Date: Tue Jan 14 14:32:13 2025 +0000 - - bumped changelog version - -commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 -Author: Patrick Schleizer -Date: Tue Jan 14 09:31:58 2025 -0500 - - debconf-updatepo - -commit 659c7037c6956f6d905e55a1ebb13ebe6a273dee -Author: Patrick Schleizer -Date: Tue Jan 14 14:30:58 2025 +0000 - - bumped changelog version - -commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 -Author: Patrick Schleizer -Date: Tue Jan 14 09:30:46 2025 -0500 - - output - -commit 876c0b618785fc71d1d399ff7ab649382104a714 -Author: Patrick Schleizer -Date: Tue Jan 14 09:29:35 2025 -0500 - - output - -commit c46178dee46f88e8d0007a12a48addc2493faab7 -Author: Patrick Schleizer -Date: Tue Jan 14 09:27:37 2025 -0500 - - output - -commit f3c07a2451fd2818daca6bc248cbbcba213516e7 -Author: Patrick Schleizer -Date: Tue Jan 14 09:24:06 2025 -0500 - - update link - -commit bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 -Author: Patrick Schleizer -Date: Tue Jan 14 14:16:45 2025 +0000 - - bumped changelog version - -commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 -Author: Patrick Schleizer -Date: Tue Jan 14 09:16:25 2025 -0500 - - debhelper - -commit 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f -Author: Patrick Schleizer -Date: Tue Jan 14 14:07:50 2025 +0000 - - bumped changelog version - -commit 0a2f06b456854f1cec3ff93952edef928ac7a184 -Author: Patrick Schleizer -Date: Tue Jan 14 09:07:32 2025 -0500 - - use pre.bsh - -commit 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 -Author: Patrick Schleizer -Date: Tue Jan 14 14:06:50 2025 +0000 - - bumped changelog version - -commit e60183ec073d278f8d69a5475aa52d75870cd9b0 -Author: Patrick Schleizer -Date: Tue Jan 14 09:06:41 2025 -0500 - - output - -commit a812961beabacca052b4b25b78ecd2c35184d5d5 -Author: Patrick Schleizer -Date: Tue Jan 14 09:06:12 2025 -0500 - - verbose - -commit 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 -Author: Patrick Schleizer -Date: Tue Jan 14 13:53:49 2025 +0000 - - bumped changelog version - -commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a -Author: Patrick Schleizer -Date: Tue Jan 14 08:53:38 2025 -0500 - - fix - -commit 41cd09933a506d55bab1f8bf101840cf4bbbf028 -Author: Patrick Schleizer -Date: Tue Jan 14 09:26:05 2025 +0000 - - bumped changelog version - -commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 -Author: Patrick Schleizer -Date: Tue Jan 14 04:13:39 2025 -0500 - - comment - -commit 6d282226ef653accf1de32582b999ff31775f60f -Author: Patrick Schleizer -Date: Tue Jan 14 04:12:12 2025 -0500 - - comment - -commit 466308e4f9ebd496ff54dd9f77881ce10a558802 -Author: Patrick Schleizer -Date: Tue Jan 14 04:09:57 2025 -0500 - - permission hardener: disable SUID for `chrome-sandbox` - -commit 7a5f8b87af7142ce973bd88abf98279ce15559a9 -Author: Patrick Schleizer -Date: Tue Jan 14 04:06:44 2025 -0500 - - permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` - - This might break SSH host-based authentication. - -commit d89ffcde30f6115c25c1bc807eb30b18c21e2b6e -Author: Patrick Schleizer -Date: Tue Jan 14 04:04:09 2025 -0500 - - comment - -commit 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 -Author: Patrick Schleizer -Date: Tue Jan 14 03:56:55 2025 -0500 - - comment - -commit 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba -Author: Patrick Schleizer -Date: Tue Jan 14 03:54:35 2025 -0500 - - comment - -commit fce6a5f8303cd891efd8bbfef861e357dc90e88e -Author: Patrick Schleizer -Date: Tue Jan 14 03:51:43 2025 -0500 - - comment - -commit 1e9940481318d8d7a443b98f0906089759f27a5d -Author: Patrick Schleizer -Date: Tue Jan 14 03:50:16 2025 -0500 - - comment - -commit b198591537a01f5b35c9301ca28a24c70864bcbd -Author: Patrick Schleizer -Date: Tue Jan 14 03:49:42 2025 -0500 - - comment - -commit 7d44db2cb268c4eb31b50bbd44b87b8001dc068c -Author: Patrick Schleizer -Date: Tue Jan 14 03:49:15 2025 -0500 - - usrmerge - -commit 7e7632a55396e10e20a6e9d8d563011694cccc85 -Author: Patrick Schleizer -Date: Tue Jan 14 08:24:05 2025 +0000 - - bumped changelog version - -commit 420cb3f86f69c4505702a8f38271fb095316cb6f -Author: Patrick Schleizer -Date: Tue Jan 14 03:19:21 2025 -0500 - - refactoring - -commit b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 -Author: Patrick Schleizer -Date: Tue Jan 14 03:18:17 2025 -0500 - - refactoring - -commit b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 -Author: Patrick Schleizer -Date: Tue Jan 14 03:17:00 2025 -0500 - - refactoring - -commit 69ae2d9ea0826aa81c70e957bb5a9241a84346ad -Merge: de1f31e3 de9ebabd -Author: Patrick Schleizer -Date: Tue Jan 14 03:15:45 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate' - -commit de9ebabd46798ff2afa259907b6a7b976070e7f0 -Author: Aaron Rainbolt -Date: Mon Jan 13 21:57:10 2025 -0600 - - Fix minor migration bugs, don't run the migration code on new image builds - -commit a9e87e9d308f5e61a2d2054fa038dae6faadad3a -Author: Aaron Rainbolt -Date: Sun Jan 12 21:13:43 2025 -0600 - - Prevent installation failures when installing non-interactively - -commit 5570d3e5b9f97f14c772facff16dc45df66d42e9 -Author: Aaron Rainbolt -Date: Sun Jan 12 20:40:41 2025 -0600 - - Add a forgotten set -e - -commit 07786de03953b91310588e0b37b9e150bf1b4736 -Author: Aaron Rainbolt -Date: Sun Jan 12 19:34:41 2025 -0600 - - Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 - -commit de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 -Author: Patrick Schleizer -Date: Sun Jan 12 11:47:18 2025 +0000 - - bumped changelog version - -commit b0baa8baa57937358dc988b88adab4858a1d8cae -Author: Patrick Schleizer -Date: Sun Jan 12 05:38:35 2025 -0500 - - add link - -commit d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 -Author: Patrick Schleizer -Date: Sun Jan 12 05:36:16 2025 -0500 - - formatting. - - use chapter to make allow for deep linking - -commit 485d9abd1d14e445b48f0fd63290a985b05a5ac7 -Author: Patrick Schleizer -Date: Fri Jan 10 15:34:21 2025 +0000 - - bumped changelog version - -commit c17485baa118e76cc8074ce3e72ac3ac38c577cd -Merge: 482960d0 e9ef3602 -Author: Patrick Schleizer -Date: Fri Jan 10 10:32:26 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e9ef3602dd1661de0c0c3781d7e0246720643354 -Merge: 1b33e835 cf435a8f -Author: Patrick Schleizer -Date: Fri Jan 10 10:30:34 2025 -0500 - - Merge pull request #292 from raja-grewal/cpu_table - - Add link to tabular comparison of CPU mitigations - -commit 1b33e83529d652dab4468e0b386e333b3ca4745b -Merge: 486757bf 2e6e1701 -Author: Patrick Schleizer -Date: Fri Jan 10 10:29:30 2025 -0500 - - Merge pull request #291 from raja-grewal/drop_gratuitous_arp - - Drop gratuitous ARP packets - -commit 486757bfae5e7ecc389b16c49704e742fd267565 -Merge: 17ff2491 c37f4efa -Author: Patrick Schleizer -Date: Fri Jan 10 10:29:12 2025 -0500 - - Merge pull request #290 from raja-grewal/arp_ignore - - Respond to ARP requests only if the target IP address is on-link - -commit 17ff24915062736a32d4d54da7163fe34aa70fd3 -Merge: 27d19ba5 1f8eee47 -Author: Patrick Schleizer -Date: Fri Jan 10 10:28:48 2025 -0500 - - Merge pull request #289 from raja-grewal/arp_filter - - Enable ARP filtering - -commit 27d19ba568e601c37035a310ae6cdd7d953be286 -Merge: 482960d0 5e3785d7 -Author: Patrick Schleizer -Date: Fri Jan 10 10:28:05 2025 -0500 - - Merge pull request #288 from raja-grewal/shared_media - - Deny sending and receiving shared media redirects - -commit 482960d056ec8d624f127bfe9b1c69a4c30c7e34 -Author: Patrick Schleizer -Date: Fri Jan 10 10:21:12 2025 -0500 - - permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration - - https://github.com/Kicksecure/security-misc/pull/294 - -commit cf435a8fa8e6f795a25ef004cf44a65d461dd32c -Author: raja-grewal -Date: Fri Jan 10 13:22:21 2025 +1100 - - README.md: Note importance of microcode updates - -commit 3a31cc99b34617cdd3c5f8e8950a37158849cb56 -Merge: c4cfb859 5941195e -Author: Patrick Schleizer -Date: Thu Jan 9 09:30:58 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' - -commit 538b312349a97bcecb12e62519d77840afcd6ca3 -Author: raja-grewal -Date: Thu Jan 9 15:28:56 2025 +1100 - - Add comment about microcode updates - -commit 1f8eee47200221e2e38291a31e852e9c222d8c64 -Author: raja-grewal -Date: Wed Jan 8 18:36:00 2025 +1100 - - Add missing sentence full stop - -commit 5e3785d76e616f49407e720b37138f35a50fe4fb -Author: raja-grewal -Date: Wed Jan 8 18:35:52 2025 +1100 - - README.md: Remove double space - -commit 5941195e96880b8beb2a791d3c21f3a4c6d429eb -Author: Aaron Rainbolt -Date: Tue Jan 7 14:10:46 2025 -0600 - - Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory - -commit c4cfb8597d1a8631a4cbfa7e88212b798e2bc514 -Merge: c6be6219 93ebf176 -Author: Patrick Schleizer -Date: Mon Jan 6 08:43:54 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' - -commit c6be621968c898f792ef1a450d2e1be5cd6056da -Author: Patrick Schleizer -Date: Mon Jan 6 10:31:40 2025 +0000 - - bumped changelog version - -commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 -Author: Patrick Schleizer -Date: Mon Jan 6 05:29:40 2025 -0500 - - increase priority of pam wheel so it is checked even before faillock - - in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later - be rejected tu to lack of group membership - -commit d4767b75206b46f1a006cd91b00239a7b828fc89 -Author: Patrick Schleizer -Date: Mon Jan 6 04:24:44 2025 -0500 - - fix: apply PAM wheal only to `su` PAM service - -commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff -Author: Aaron Rainbolt -Date: Thu Jan 2 20:41:40 2025 -0500 - - Make the main field count check in permission-hardener a bit more elegant - -commit 895c0f541fb34f9ebfee9c7ef79c053d5af4a7cc -Merge: 717e6fcf 40b23cfa -Author: Aaron Rainbolt -Date: Wed Jan 1 15:04:01 2025 -0600 - - Merge branch 'master' into arraybolt3/permission-hardener-refactor - -commit 40b23cfad40825eefc3686e562d78250b58bbc82 -Author: Patrick Schleizer -Date: Tue Dec 31 18:42:01 2024 +0000 - - bumped changelog version - -commit 33114f771aaeb4dccb0b465861d1239129deb8b2 -Author: Patrick Schleizer -Date: Tue Dec 31 13:26:21 2024 -0500 - - copyright - -commit bb24bff2965ca31de6337820eafd787a11a44a2b -Author: Patrick Schleizer -Date: Tue Dec 31 14:09:34 2024 +0000 - - bumped changelog version - -commit 0640964c35b0d977ba718629d4a8791e67700202 -Author: Patrick Schleizer -Date: Tue Dec 31 06:14:29 2024 -0500 - - readme - -commit 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 -Author: Aaron Rainbolt -Date: Mon Dec 30 19:23:20 2024 -0600 - - Post-review improvements to permission-hardener - -commit dbcb612517abbf8d162cfb31ba0585c518df8817 -Author: Aaron Rainbolt -Date: Wed Dec 25 19:48:28 2024 -0600 - - Polish permission-hardener refactor - -commit 397b476a822c9f7e41ec911f5d689b67026660ad -Author: Patrick Schleizer -Date: Thu Dec 26 04:12:02 2024 +0000 - - bumped changelog version - -commit 66f8c18c65f33676d242b57ebb1d4410876461b3 -Merge: aa82202e 6602fb10 -Author: Patrick Schleizer -Date: Wed Dec 25 22:43:04 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 83d386795940099e0835c51f3522aae3d9217dc8 -Author: Aaron Rainbolt -Date: Tue Dec 24 20:14:57 2024 -0600 - - Refactor permission-hardener to be more idempotent - -commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 -Author: Aaron Rainbolt -Date: Tue Dec 24 20:52:34 2024 -0600 - - Adjust pam-info messaging for sysmaint mode - -commit aa82202e701167eacb63eac208469844e983ca43 -Author: Patrick Schleizer -Date: Tue Dec 24 05:16:22 2024 +0000 - - bumped changelog version - -commit 27d015d58ebc5e750d9d06f042b761720473941d -Merge: 3c73c0cd 2f3a2bce -Author: Patrick Schleizer -Date: Tue Dec 24 00:08:58 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc -Author: Aaron Rainbolt -Date: Fri Dec 20 11:04:22 2024 -0600 - - Add warning about using non-sysmaint accounts in sysmaint mode - -commit 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 -Author: Patrick Schleizer -Date: Fri Dec 20 06:01:27 2024 +0000 - - bumped changelog version - -commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 -Author: Patrick Schleizer -Date: Fri Dec 20 01:01:13 2024 -0500 - - syntax fix - -commit b40bc0a2c9b17b3569918a6839bce1c67af5c9df -Author: Patrick Schleizer -Date: Fri Dec 20 05:58:24 2024 +0000 - - bumped changelog version - -commit b21c394ea52401c0d77b6ec396af6a49335f5e0b -Author: Patrick Schleizer -Date: Fri Dec 20 00:56:20 2024 -0500 - - Trigger permission hardener when new configuration files are being installed. - -commit cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 -Author: Patrick Schleizer -Date: Fri Dec 20 05:48:48 2024 +0000 - - bumped changelog version - -commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 -Author: Patrick Schleizer -Date: Fri Dec 20 00:41:06 2024 -0500 - - move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` - -commit a2c1e8c218117a47ef70dd767d753be5d084adfa -Author: Patrick Schleizer -Date: Fri Dec 20 00:39:51 2024 -0500 - - clean up old files in `/etc/permission-hardener.d` - because will be moved to `/usr/lib/permission-hardener.d` - -commit 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 -Author: Patrick Schleizer -Date: Fri Dec 20 00:37:44 2024 -0500 - - permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder - -commit 721b100fb64136b7c36c8d43c90c716a1fed42d0 -Author: Patrick Schleizer -Date: Thu Dec 19 10:58:50 2024 +0000 - - bumped changelog version - -commit 642b4eeedc43e69bb82ea259b52c0946ce638983 -Author: raja-grewal -Date: Thu Dec 19 21:57:25 2024 +1100 - - Add link to tabular comparison of CPU mitigations - -commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc -Author: Patrick Schleizer -Date: Thu Dec 19 05:56:50 2024 -0500 - - use long option name - -commit c99021bb0c1d5b6bf361cc483449330cdd218ee6 -Merge: 95b53576 9d69cd19 -Author: Patrick Schleizer -Date: Thu Dec 19 05:56:01 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 2e6e1701a052ef32711f6c3abaad693a773323f6 -Author: raja-grewal -Date: Thu Dec 19 10:35:08 2024 +0000 - - Set `net.ipv4.conf.*.drop_gratuitous_arp=1` - -commit c37f4efadf8f046168732871172cb66f58eb7c78 -Author: raja-grewal -Date: Thu Dec 19 10:33:49 2024 +0000 - - Set `net.ipv4.conf.*.arp_ignore=2` - -commit af1d06973bdd46af3e39b0bdfda81b950ccac996 -Author: raja-grewal -Date: Thu Dec 19 10:31:43 2024 +0000 - - Set `net.ipv4.conf.*.arp_filter=1` - -commit 750367a9066ca2a0ff819b438a92cb1f6c325edb -Author: raja-grewal -Date: Thu Dec 19 10:29:56 2024 +0000 - - Set `net.ipv4.conf.*.shared_media=0` - -commit 95b535764c8a98b67a71ee1fd57b7f01da464106 -Author: Patrick Schleizer -Date: Thu Dec 19 09:43:26 2024 +0000 - - bumped changelog version - -commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 -Author: Patrick Schleizer -Date: Thu Dec 19 04:39:34 2024 -0500 - - fix apt-get-update for non-English locale - - https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 - -commit e9a5b14a0db6f071424c19e6f4b006386afb6ab4 -Author: Patrick Schleizer -Date: Thu Dec 19 06:57:42 2024 +0000 - - bumped changelog version - -commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d -Merge: f0c611d9 c7f71964 -Author: Patrick Schleizer -Date: Thu Dec 19 00:34:56 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit c7f7196471b07a580c6d4a5d86739215508142cd -Merge: e5b67e04 3749f8ff -Author: Patrick Schleizer -Date: Thu Dec 19 00:31:25 2024 -0500 - - Merge pull request #287 from raja-grewal/patch - - Refactor and add two CPU mitigations - -commit f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a -Author: Patrick Schleizer -Date: Thu Dec 19 00:18:25 2024 -0500 - - comment - -commit 4f681be77429984695a1b0f689065051884e7bf7 -Merge: 4c3ca684 4cf57575 -Author: Patrick Schleizer -Date: Thu Dec 19 00:17:44 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e5b67e044bb5011dd667879a73a670f2c5f74057 -Merge: 4cf57575 c1167968 -Author: Patrick Schleizer -Date: Thu Dec 19 00:15:02 2024 -0500 - - Merge pull request #279 from raja-grewal/arp - - Provide network-related hardening options via `sysctl`'s - -commit 4cf5757575c1257a14331f0169a9d8d163e1326d -Merge: 9d06341c 1708a03e -Author: Patrick Schleizer -Date: Thu Dec 19 00:08:56 2024 -0500 - - Merge pull request #282 from ArrayBolt3/arraybolt3/umask - - Enable umask hardening - -commit 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 -Author: Aaron Rainbolt -Date: Wed Dec 18 21:34:16 2024 -0600 - - Add sysmaint account lock detection - -commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 -Author: raja-grewal -Date: Wed Dec 18 03:36:09 2024 +0000 - - Update presentation on user namespaces - -commit 0dff2cd28fd769955757cdef1b7f9d637a1180c5 -Author: raja-grewal -Date: Wed Dec 18 03:32:35 2024 +0000 - - Minor additions - -commit 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 -Author: raja-grewal -Date: Tue Dec 17 11:44:11 2024 +0000 - - Enable `kvm.mitigate_smt_rsb=1` - -commit 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 -Author: raja-grewal -Date: Tue Dec 17 11:42:52 2024 +0000 - - Enable `kvm-intel.vmentry_l1d_flush=always` - -commit defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 -Author: raja-grewal -Date: Tue Dec 17 11:42:03 2024 +0000 - - Refactor CPU mitigations - -commit 943c421889ce5dfe3869380e4587ca22724f2ce7 -Author: raja-grewal -Date: Tue Dec 17 11:40:38 2024 +0000 - - Minor refactoring - -commit ca3a73ac13d805515f71f1be7ecedc33d3a1b519 -Author: raja-grewal -Date: Tue Dec 17 11:37:10 2024 +0000 - - Typo - -commit 4c3ca68453b44074025a1ec9f31451c57344f3cf -Author: Aaron Rainbolt -Date: Mon Dec 9 12:37:11 2024 -0600 - - Disable unnecessary sudoers exceptions - -commit 9d06341c91b51f9c737fe67457045924323635f0 -Merge: a9dd592a 5b88e92e -Author: Patrick Schleizer -Date: Sat Dec 14 15:18:56 2024 -0500 - - Merge pull request #285 from Kicksecure/permission-hardener-mount - - Permission Hardener: treat mount same as umount - -commit c1167968542a62d0677517e11505f6e9222ec378 -Author: raja-grewal -Date: Thu Dec 12 06:36:47 2024 +0000 - - `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details - -commit a9dd592a8b49226f326e90111178aebba3cc144f -Author: Patrick Schleizer -Date: Tue Dec 10 19:19:10 2024 +0000 - - bumped changelog version - -commit 58722324ec0be98c3e44938df8cb60ca9b261210 -Merge: 518224b8 439fa7f3 -Author: Patrick Schleizer -Date: Tue Dec 10 14:18:50 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/no-recovery-mode' - -commit 518224b8cf9e99a830b584d8d54b5dea2925c8f5 -Author: Patrick Schleizer -Date: Tue Dec 10 19:17:10 2024 +0000 - - bumped changelog version - -commit 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 -Author: Aaron Rainbolt -Date: Sun Dec 8 03:21:27 2024 -0600 - - Harden/disable recovery mode options - -commit 7902311c570edd4286ba36f0cb85223d1e909a03 -Author: Patrick Schleizer -Date: Sat Dec 7 04:54:47 2024 -0500 - - do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed - -commit 1ce37d42cd2c132eca8c45ddb04fdb594349d08f -Author: Patrick Schleizer -Date: Sat Dec 7 04:50:40 2024 -0500 - - . - -commit 5b88e92e5c4b951e659e1574fc248bd11158dfb2 -Author: Patrick Schleizer -Date: Fri Dec 6 09:48:58 2024 -0500 - - permission hardner: treat `mount` the same way we treat `umount` - - Thanks to @the-moog for the bug report! - - fixes https://github.com/Kicksecure/security-misc/issues/284 - -commit 93b51819d4693955936456916188b4118fe68a66 -Author: Patrick Schleizer -Date: Fri Dec 6 09:47:08 2024 -0500 - - permission hardener mount chmod change from `745` to `755` - - https://github.com/Kicksecure/security-misc/issues/284 - -commit 1708a03e1edda821ef091f10c46d32f740511d38 -Author: Aaron Rainbolt -Date: Thu Nov 28 15:20:57 2024 -0600 - - Enable umask hardening - -commit 59299a6639fef31565b8f3cef857c9faa331e0f7 -Author: Patrick Schleizer -Date: Mon Nov 25 21:07:42 2024 +0000 - - bumped changelog version - -commit 98d7c245ee11f16e566422a17543aaed2c155d88 -Author: Patrick Schleizer -Date: Mon Nov 25 15:57:30 2024 -0500 - - "|| exit 1" no longer required thanks to errexit - -commit f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d -Author: Patrick Schleizer -Date: Mon Nov 25 15:48:01 2024 -0500 - - use strict shell options - -commit d32cb8c95b09721e52c4d682a0ddd39d590a4368 -Author: Patrick Schleizer -Date: Mon Nov 25 15:44:00 2024 -0500 - - use TMP, sponge, refactoring - -commit 62a551cfe39a6a640f32e6e97f3e915aa8673514 -Merge: af43472d d7475e25 -Author: Patrick Schleizer -Date: Mon Nov 25 15:38:01 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sudoers' - -commit d7475e252a64e296913ed8893261e52e72163d55 -Author: Aaron Rainbolt -Date: Thu Nov 21 20:03:42 2024 -0600 - - Make apt-get-update able to be terminated securely - -commit af43472d0ccdecb1725a200d10aeeb1b8d51f31a -Author: Patrick Schleizer -Date: Thu Nov 14 22:24:50 2024 +0000 - - bumped changelog version - -commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b -Author: Patrick Schleizer -Date: Thu Nov 14 16:31:12 2024 -0500 - - output - -commit 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 -Author: Patrick Schleizer -Date: Thu Nov 14 20:46:26 2024 +0000 - - bumped changelog version - -commit ef95b3f9a5aed9652c541cf4bf05b20011718466 -Author: Patrick Schleizer -Date: Thu Nov 14 14:41:14 2024 -0500 - - Revert "fix `panic-on-oops.service`" - - This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. - -commit 412b371e85044962f6620386b767369b9e25d71e -Merge: 141b84c4 57e1edde -Author: raja-grewal -Date: Wed Nov 13 16:47:57 2024 +1100 - - Merge branch 'Kicksecure:master' into arp - -commit 141b84c40de76988ec78bdccf1c1d67fc4367b3f -Author: raja-grewal -Date: Wed Nov 13 05:42:56 2024 +0000 - - Provide option to deny sending and receiving shared media redirects - -commit 18aec201bfb0477fee8800ad1388099e11920016 -Author: raja-grewal -Date: Wed Nov 13 05:41:25 2024 +0000 - - Provide option to harden response to ARP requests - -commit a25d4f8df88908e83e56049204aa625f1196a948 -Author: raja-grewal -Date: Wed Nov 13 05:40:21 2024 +0000 - - Provide option to enable ARP filtering - -commit c2aae73ce161811571e4c85609a0b043399c1b65 -Author: raja-grewal -Date: Wed Nov 13 05:38:03 2024 +0000 - - Add reference and move text - -commit 57e1edde23aa3f313ce087e00ebc14d158356d6c -Author: Patrick Schleizer -Date: Tue Nov 12 09:11:57 2024 +0000 - - bumped changelog version - -commit 7987a3914d364e674eb7479b15708c450041af02 -Author: Patrick Schleizer -Date: Tue Nov 12 02:29:42 2024 -0500 - - deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover - -commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100 -Author: Patrick Schleizer -Date: Tue Nov 12 01:41:12 2024 -0500 - - deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover - -commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794 -Author: Patrick Schleizer -Date: Mon Nov 11 11:07:57 2024 +0000 - - bumped changelog version - -commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d -Author: Patrick Schleizer -Date: Mon Nov 11 05:48:11 2024 -0500 - - moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc - -commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810 -Author: Patrick Schleizer -Date: Mon Nov 11 05:43:25 2024 -0500 - - deleted `/usr/bin/pkexec.security-misc` - - This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: - - > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. - - * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 - * https://forums.whonix.org/t/cannot-use-pkexec/8129 - - This was a worthwhile effort, interesting approach but ultimately a dead-end. - -commit ef05b1a160b24d5aa42da9cc15009d94a37cf120 -Author: Patrick Schleizer -Date: Mon Nov 11 05:40:41 2024 -0500 - - disable legacy matroxfb_base framebuffer driver - - fix typo matroxfb_bases -> matroxfb_base - - Thanks to @ArrayBolt3 for the bug report! - -commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 -Author: Patrick Schleizer -Date: Mon Nov 11 05:36:41 2024 -0500 - - fix `panic-on-oops.service` - - remove `After=multi-user.target` because already using `WantedBy=multi-user.target` - - Thanks to @ArrayBolt3 for the bug report! - -commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a -Author: Patrick Schleizer -Date: Mon Nov 11 05:28:31 2024 -0500 - - fix optional opt-in `harden-module-loading.service` - - by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable - - Thanks to @ArrayBolt3 for the bug report! - -commit 4c649577f053af12bcd02c20576bf2d8aec1476d -Author: Patrick Schleizer -Date: Sun Nov 10 11:52:42 2024 +0000 - - bumped changelog version - -commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd -Merge: 5bd0a277 238f32e8 -Author: Patrick Schleizer -Date: Sun Nov 10 06:32:30 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e -Author: Patrick Schleizer -Date: Sun Nov 10 06:29:17 2024 -0500 - - fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" - - no longer user end-of-options marker (`--`) for `setcap` - since setcap does not support it - - Fixes https://github.com/QubesOS/qubes-issues/issues/9569 - - https://forums.whonix.org/t/permission-hardener-error/20719 - -commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313 -Merge: 3af26841 8107782f -Author: Patrick Schleizer -Date: Fri Nov 8 07:39:40 2024 -0500 - - Merge pull request #280 from raja-grewal/ssbd - - Enable `ssbd=force-on` - -commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b -Author: raja-grewal -Date: Fri Nov 8 15:36:04 2024 +1100 - - Enable `ssbd=force-on` - -commit a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 -Author: raja-grewal -Date: Fri Nov 8 03:58:23 2024 +0000 - - Provide option to drop gratuitous ARP packets - -commit 3af2684134279ba6f5b18b40986f02a50baa5604 -Author: Patrick Schleizer -Date: Wed Oct 30 09:43:05 2024 +0000 - - bumped changelog version - -commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 -Author: Patrick Schleizer -Date: Mon Oct 28 05:10:19 2024 -0400 - - minor - -commit cfe19e31d858d7899f4d95e21117c992d236d328 -Author: Patrick Schleizer -Date: Mon Oct 28 05:09:53 2024 -0400 - - shell options - -commit 0d506156587f87a303184f22259ffb57dd92cbc8 -Author: Patrick Schleizer -Date: Mon Oct 28 05:07:00 2024 -0400 - - local - -commit ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 -Author: Patrick Schleizer -Date: Mon Oct 28 05:06:26 2024 -0400 - - refactoring - -commit fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 -Author: Patrick Schleizer -Date: Mon Oct 28 05:06:05 2024 -0400 - - refactoring - -commit d00235897d686895a7e2e7da7435832fee008164 -Author: Patrick Schleizer -Date: Mon Oct 28 05:03:59 2024 -0400 - - hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` - -commit 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 -Author: Patrick Schleizer -Date: Mon Oct 28 05:03:20 2024 -0400 - - refactoring - -commit b44e507900defe3db68f31f3e110b1c3e5aa684c -Author: Patrick Schleizer -Date: Wed Oct 23 09:56:05 2024 +0000 - - bumped changelog version - -commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 -Author: Patrick Schleizer -Date: Mon Oct 21 05:47:38 2024 -0400 - - output - -commit 5991a23049491dd04c19d9ea80f7d7381dd494a0 -Author: Patrick Schleizer -Date: Mon Oct 21 05:47:25 2024 -0400 - - comment - -commit fd34baff8ff17ed572469d9d6d884e6c0d881d20 -Merge: b6433309 690e8dd8 -Author: Patrick Schleizer -Date: Mon Oct 21 05:43:53 2024 -0400 - - Merge remote-tracking branch 'ArrayBolt3/master' - -commit 690e8dd826d1cb39c0c12c03792781862cc2dd23 -Author: Aaron Rainbolt -Date: Sat Oct 19 23:49:07 2024 -0500 - - Avoid faillock lock/tally reset on reboot or timeout - -commit b6433309fd7d6839cfba89e1197590e1ff62ef58 -Author: Patrick Schleizer -Date: Fri Oct 18 12:45:02 2024 -0400 - - use end-of-options - -commit 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a -Author: Patrick Schleizer -Date: Wed Oct 16 10:57:20 2024 +0000 - - bumped changelog version - -commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 -Merge: 263335f7 e50ad807 -Author: Patrick Schleizer -Date: Wed Oct 16 06:31:09 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e50ad807c01b5753c67d579126d7b79d38070c0a -Merge: 263335f7 eb72163d -Author: Patrick Schleizer -Date: Wed Oct 16 06:29:25 2024 -0400 - - Merge pull request #276 from raja-grewal/KSPP_header - - Clarify KSPP compliance header - -commit eb72163d5707c7673db1f12405d2e04261bd43c8 -Author: raja-grewal -Date: Mon Oct 14 03:01:15 2024 +0000 - - README.md: Make line lengths consistent - -commit a9f238fe048acfeff49f96c00570acc6ca4c37e8 -Author: raja-grewal -Date: Mon Oct 14 02:57:31 2024 +0000 - - README.md: Split optional setting to new line - -commit 09fe46adc956e8c6de232f1093c37cdd30933acd -Author: raja-grewal -Date: Mon Oct 14 02:54:30 2024 +0000 - - Clarify KSPP compliance header for the undocumented case - -commit 263335f74ea0f050f9c259e20141c3345e7fa789 -Author: Patrick Schleizer -Date: Tue Oct 8 11:24:56 2024 +0000 - - bumped changelog version - -commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 -Merge: 8a2d432f 8227a3dd -Author: Patrick Schleizer -Date: Tue Oct 8 05:54:50 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8227a3dde2995ceb113164baf49591d52c2b53e1 -Merge: 8a2d432f 0c0774f6 -Author: Patrick Schleizer -Date: Tue Oct 8 05:53:48 2024 -0400 - - Merge pull request #273 from raja-grewal/text_2 - - Documentation update 2 - -commit 0c0774f6c0927ed1cc599f931175985b8f01ec30 -Merge: dc470cac 8a2d432f -Author: raja-grewal -Date: Sun Oct 6 10:48:52 2024 +0000 - - Merge branch 'master' into text_2 - -commit dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f -Author: raja-grewal -Date: Sun Oct 6 10:46:05 2024 +0000 - - Remmove deprecated link - -commit 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b -Author: Patrick Schleizer -Date: Thu Oct 3 07:22:23 2024 +0000 - - bumped changelog version - -commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c -Author: Patrick Schleizer -Date: Thu Oct 3 02:58:58 2024 -0400 - - no longer set `kernel.unprivileged_userns_clone=0` - - because it breaks too much - - fixes https://github.com/Kicksecure/security-misc/issues/274 - -commit f401d94d5e0d0f26e93be55deda440fe565a6b22 -Author: Patrick Schleizer -Date: Thu Oct 3 02:44:06 2024 -0400 - - expand documentation on `kernel.unprivileged_userns_clone=0` sysctl - - https://github.com/Kicksecure/security-misc/issues/274 - -commit ac1378743c7448c9a7e7e02bebcf3270592d42a5 -Author: raja-grewal -Date: Mon Sep 30 16:56:18 2024 +1000 - - Consistent formatting - -commit eae38e72f30ff9b9f8d0b8b0b33182a918333e48 -Author: raja-grewal -Date: Thu Sep 26 13:10:36 2024 +0000 - - README.md: Show the current max_map_count - -commit f3b50a23c976ba4feff34eee721c50f698ecc5bf -Author: raja-grewal -Date: Thu Sep 26 13:10:01 2024 +0000 - - Add reference on unprivileged_userns_restriction - -commit 39d063d494cb540f45747f6253ab896200ba03c3 -Author: raja-grewal -Date: Thu Sep 26 13:09:21 2024 +0000 - - Add KSPP=no definition - -commit 5572eb897a10455041df8abec6b6be6de29431a0 -Author: Patrick Schleizer -Date: Wed Sep 25 01:03:42 2024 +0000 - - bumped changelog version - -commit e04f9cd4c17305d5201aa973c34778e81508734b -Merge: 18d426f5 65aa9105 -Author: Patrick Schleizer -Date: Tue Sep 24 20:16:06 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 65aa910503c07f708abf20f78be2f519ef58764a -Merge: 18d426f5 870ff886 -Author: Patrick Schleizer -Date: Tue Sep 24 20:15:03 2024 -0400 - - Merge pull request #272 from raja-grewal/text - - Documentation update - -commit 870ff88605b8167c8882162cc3da005d71ca0cd3 -Author: raja-grewal -Date: Wed Sep 25 10:01:45 2024 +1000 - - Comment on Flatpak requiring unprivileged user namespaces - -commit 769767a96a5de2a8bc05e70ca490d8340b553061 -Author: raja-grewal -Date: Wed Sep 25 09:54:49 2024 +1000 - - Update mmap ASLR docs - -commit 18d426f521b2b1369fe68e143dc8a0be064d0dcc -Author: Patrick Schleizer -Date: Sat Sep 14 02:56:09 2024 +0000 - - bumped changelog version - -commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 -Author: Patrick Schleizer -Date: Fri Sep 13 22:52:47 2024 -0400 - - Fix VirtualBox audio device ICH AC97. - - no longer `blacklist snd_intel8x0` - - Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. - https://www.kicksecure.com/wiki/Dev/audio - - Fixes https://github.com/Kicksecure/security-misc/issues/271 - -commit 1bc694fa124eaeb6e1517d2191a8fd97446872c4 -Author: Patrick Schleizer -Date: Sun Sep 8 17:41:30 2024 +0000 - - bumped changelog version - -commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa -Author: Patrick Schleizer -Date: Thu Sep 5 07:00:11 2024 -0400 - - readme - -commit e914028be7a48a3bfdf86e09c029011807f080d7 -Author: Patrick Schleizer -Date: Thu Sep 5 06:03:05 2024 -0400 - - add KSPP compliance status to readme based on comment by @raja-grewal - - https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 - -commit 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 -Author: Patrick Schleizer -Date: Wed Sep 4 14:13:15 2024 +0000 - - bumped changelog version - -commit 5a255d4831470449a26b324a8f16594432bf834b -Merge: d618f9f3 563a8980 -Author: Patrick Schleizer -Date: Wed Sep 4 10:12:34 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 563a8980133e15e33ac95a631e37ecfff88f6f8f -Merge: 175945ec e61027a4 -Author: Patrick Schleizer -Date: Wed Sep 4 10:11:48 2024 -0400 - - Merge pull request #265 from raja-grewal/mmap_min_addr - - Set `sysctl vm.mmap_min_addr=65536` - -commit d618f9f35b8e8c6eee1e164a6ec300d63b1ee797 -Merge: 59374ce9 175945ec -Author: Patrick Schleizer -Date: Wed Sep 4 10:07:50 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 175945ec9a28bf1e5b0fa0d2ae2bd6546d6c6172 -Merge: b0a85441 3101035a -Author: Patrick Schleizer -Date: Wed Sep 4 10:05:47 2024 -0400 - - Merge pull request #268 from raja-grewal/panic_on_warn - - Enable `panic_on_warn=1` - -commit b0a8544182f6ff3c8c3f1068176ff5e9e4f557ef -Merge: 59374ce9 7393ba15 -Author: Patrick Schleizer -Date: Wed Sep 4 10:04:45 2024 -0400 - - Merge pull request #270 from raja-grewal/typo - - Small typo - -commit 7393ba159192fdfc45ef31a3fa60786f899dbf25 -Author: raja-grewal -Date: Wed Sep 4 23:23:24 2024 +1000 - - Typo - -commit 59374ce902127e2125addc2ebb57d0d856a63671 -Author: Patrick Schleizer -Date: Thu Aug 29 09:49:51 2024 +0000 - - bumped changelog version - -commit 7e2838ec077b53e41d468d5655290152761c8745 -Merge: 9c918eb4 0762794f -Author: Patrick Schleizer -Date: Thu Aug 29 05:06:07 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0762794ff684049a62b5b92b61177615a5376ad7 -Merge: 9c918eb4 6294729c -Author: Patrick Schleizer -Date: Thu Aug 29 04:46:26 2024 -0400 - - Merge pull request #269 from raja-grewal/tidy - - Minor correction - -commit 6294729c8ef24077cd342b4557653806c3aacd34 -Author: Raja Grewal -Date: Thu Aug 29 15:34:24 2024 +1000 - - Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 - -commit 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 -Author: Raja Grewal -Date: Thu Aug 29 01:57:32 2024 +1000 - - Enable `panic_on_warn=1` - -commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 -Author: Patrick Schleizer -Date: Wed Aug 28 11:01:37 2024 +0000 - - bumped changelog version - -commit f70fe308a9f65873d34de2d1906d825f3a56e272 -Author: Patrick Schleizer -Date: Wed Aug 28 06:49:50 2024 -0400 - - no longer set sysctl `fs.binfmt_misc.status=0` / - no longer disallow registering interpreters for miscellaneous binary formats - - causing file/folder permissions issue `d????????? ? ? ? ? ? .` - - Firefox no longer starting (probably not not a Firefox issue) - - https://github.com/Kicksecure/security-misc/issues/267 - -commit 463aa58f28b6389d0925fed87096b348b652cc16 -Merge: cf824ddb 328840c9 -Author: Patrick Schleizer -Date: Wed Aug 28 06:42:49 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 328840c933a583adc5458aa08c63fb627b31b298 -Merge: cf824ddb 9e91c98c -Author: Patrick Schleizer -Date: Wed Aug 28 06:38:57 2024 -0400 - - Merge pull request #264 from raja-grewal/kspp_compliance - - Add KSPP compliance notices to corresponding parameters and `sysctls` - -commit 9e91c98cc926e7a166458cd78e3c1d1ced23c753 -Author: Raja Grewal -Date: Mon Aug 26 12:40:04 2024 +1000 - - Add details on BPF hardening and split the `sysctl`s - -commit 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 -Author: Raja Grewal -Date: Mon Aug 26 11:34:12 2024 +1000 - - Add KSPP notice definitions - -commit 2841d789bebbd43f855b6ffb92a3a6f017007a72 -Author: Raja Grewal -Date: Mon Aug 26 11:21:26 2024 +1000 - - README: Update - -commit ac6602ac3531ae57603e8a9e5ac2ee1652164b23 -Author: Raja Grewal -Date: Mon Aug 26 11:19:20 2024 +1000 - - Add detail on disabling user namespaces breaking UPower - -commit 9dbd200be415c86e7039463c6269fad8395a4373 -Merge: 32de5e7c cf824ddb -Author: raja-grewal -Date: Mon Aug 26 11:08:21 2024 +1000 - - Merge branch 'Kicksecure:master' into kspp_compliance - -commit cf824ddb248957fd9e542c1a5adc5e90381f684c -Author: Patrick Schleizer -Date: Sun Aug 25 15:34:55 2024 +0000 - - bumped changelog version - -commit 500568e322b2e3623fc649209d671c7b9d9fa097 -Merge: 43d13b70 73900b59 -Author: Patrick Schleizer -Date: Sun Aug 25 11:01:58 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 73900b59db37d77bc24bd5088aae3cc760aacc69 -Merge: 43d13b70 1f51d4ee -Author: Patrick Schleizer -Date: Sun Aug 25 11:00:51 2024 -0400 - - Merge pull request #263 from raja-grewal/max_user_namespaces - - Provide option to disable user namespaces - -commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 -Merge: 83537641 fae586c3 -Author: Patrick Schleizer -Date: Sun Aug 25 10:55:52 2024 -0400 - - Merge remote-tracking branch 'raja/syntax' - -commit 835376418d616699023f8e638666f43d34241863 -Merge: ae85fd5b 342caf82 -Author: Patrick Schleizer -Date: Sun Aug 25 10:48:25 2024 -0400 - - Merge remote-tracking branch 'raja/mod' - -commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 -Author: Patrick Schleizer -Date: Sun Aug 25 14:33:40 2024 +0000 - - bumped changelog version - -commit 433b15f985545f531b87d09659bbbb89993b5a67 -Author: Raja Grewal -Date: Wed Aug 21 12:51:51 2024 +1000 - - README.md: Organise `sysctl`s - -commit af87a84b4f40b2ad9ac05dd9bce837665f239454 -Author: Raja Grewal -Date: Wed Aug 21 12:52:48 2024 +1000 - - README.md: Organise kernel boot parameters - -commit 32de5e7c49d301b62b838ba88550f58b02b6562b -Author: Raja Grewal -Date: Sun Aug 25 12:57:22 2024 +1000 - - Add details on oopses and warnings - -commit e4909b5e28e16f09de0e548c9221578ebe1190a3 -Author: Raja Grewal -Date: Sun Aug 25 12:47:04 2024 +1000 - - Add details on kernel panics - -commit 342caf82b20acc2931563449fafe9a98cbedaba2 -Author: Raja Grewal -Date: Wed Aug 21 12:52:48 2024 +1000 - - README.md: Organise kernel boot parameters - -commit b87a18d4050bbf2add5cc4920684876a440e65bb -Author: Raja Grewal -Date: Wed Aug 21 12:51:51 2024 +1000 - - README.md: Organise `sysctl`s - -commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 -Author: Raja Grewal -Date: Wed Aug 21 12:50:14 2024 +1000 - - Refactor modprobe.d to minimise potential future merge conflicts - -commit 56b28e38264fe742b8d694176f1057c15574fc08 -Author: Raja Grewal -Date: Mon Aug 19 11:50:08 2024 +1000 - - Typo - -commit e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 -Author: Raja Grewal -Date: Mon Aug 19 11:32:20 2024 +1000 - - Set `sysctl vm.mmap_min_addr=65536` - -commit 94dab1b7c503429e2fa91019a0183b2f36c6693f -Author: Raja Grewal -Date: Mon Aug 19 10:53:05 2024 +1000 - - Partial compliance with the KSPP on kernel panics - -commit 683110e7f02fa5fc6415354386552640cdb8758b -Author: Raja Grewal -Date: Mon Aug 19 01:34:14 2024 +1000 - - Correction - -commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d -Author: Raja Grewal -Date: Sun Aug 18 13:53:11 2024 +1000 - - Add details on user namespaces - -commit 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 -Author: Raja Grewal -Date: Sat Aug 17 01:06:21 2024 +1000 - - Include KSPP compliance notices - -commit 759aee8150a2d1258d73217c071b25432d47496f -Author: Raja Grewal -Date: Fri Aug 16 22:54:57 2024 +1000 - - Provide option to disable user namespaces - -commit fae586c3c5e8382ca01c60f810b26d88189a5514 -Author: Raja Grewal -Date: Fri Aug 16 19:23:48 2024 +1000 - - Patch bug in existing `rp_filter` `sysctl` - -commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 -Author: Patrick Schleizer -Date: Fri Aug 16 08:38:12 2024 +0000 - - bumped changelog version - -commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b -Merge: 12296c68 305467c6 -Author: Patrick Schleizer -Date: Fri Aug 16 04:30:29 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 305467c652af933bb5aa5a677b10a992a5f19cab -Merge: 12296c68 a5373afc -Author: Patrick Schleizer -Date: Fri Aug 16 04:25:43 2024 -0400 - - Merge pull request #245 from raja-grewal/blacklist_to_disable - - Update `/etc/modprobe.d/*` - -commit 12296c68dc0aaa3703e1c36f854a02de8db412fe -Merge: 4bc12b07 036bcea4 -Author: Patrick Schleizer -Date: Fri Aug 16 04:22:43 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 036bcea4e6757de094fcafdadcf56aaa90729d79 -Merge: ef60c5b1 81bf7a8f -Author: Patrick Schleizer -Date: Fri Aug 16 04:20:32 2024 -0400 - - Merge pull request #262 from raja-grewal/docs - - Miscellaneous updates to presentation - -commit 81bf7a8f90098a7107dcb3c783b87a168f5c090f -Merge: cea8e753 ef60c5b1 -Author: raja-grewal -Date: Fri Aug 16 16:57:01 2024 +1000 - - Merge branch 'Kicksecure:master' into docs - -commit ef60c5b153a521e1cfd522ac471a8ca6dc076d90 -Merge: 4bc12b07 b552b924 -Author: Patrick Schleizer -Date: Fri Aug 16 02:43:57 2024 -0400 - - Merge pull request #249 from raja-grewal/binfmt_misc - - Disallow registering interpreters for miscellaneous binary formats - -commit cea8e753786d100ebe961ad74a99925e54d47771 -Author: Raja Grewal -Date: Fri Aug 16 14:55:22 2024 +1000 - - Consistent formating - -commit 84376d23fc17d2ced890ffca0b05d15907d42a6f -Author: Raja Grewal -Date: Fri Aug 16 13:39:11 2024 +1000 - - Add details on ASLR and move to user space section - -commit a13298002350a39491a509d15633edb95a2e3edd -Author: Raja Grewal -Date: Fri Aug 16 13:24:25 2024 +1000 - - Update README.md - -commit 9212a4e93754a4505be3fcf0ff4b029c073d2f07 -Author: Raja Grewal -Date: Fri Aug 16 13:12:07 2024 +1000 - - Typos - -commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e -Author: Raja Grewal -Date: Fri Aug 16 12:46:51 2024 +1000 - - Simplify syntax of some network-related `sysctl`'s - -commit e3a3207a4447568a17129afe9dde34debc465e21 -Author: Raja Grewal -Date: Fri Aug 16 12:41:36 2024 +1000 - - Clarify DMA hardening - -commit be9308e490f79a7b7788a744524d1d91cc870726 -Merge: 73db68db 4bc12b07 -Author: raja-grewal -Date: Fri Aug 16 11:45:43 2024 +1000 - - Merge branch 'Kicksecure:master' into docs - -commit 4bc12b07b42def786862b938e3f63c18cf874158 -Author: Patrick Schleizer -Date: Thu Aug 15 17:51:18 2024 +0000 - - bumped changelog version - -commit 9e61e37c17524b57f185b796f2ac19ba193205a8 -Merge: 89e816dd dfd1c971 -Author: Patrick Schleizer -Date: Thu Aug 15 13:47:33 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit dfd1c97168249b229495cbd873d4d8493e244663 -Merge: 89e816dd ec3038c7 -Author: Patrick Schleizer -Date: Thu Aug 15 13:46:30 2024 -0400 - - Merge pull request #248 from raja-grewal/secure_redirects - - Re-enable (default) `secure_redirects` for ICMP redirect messages - -commit b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 -Author: Raja Grewal -Date: Thu Aug 15 11:54:21 2024 +1000 - - Add references on `fs.binfmt_misc.status` - -commit 326d82a9beee130956dd817812016a6ee16fccbc -Author: Raja Grewal -Date: Thu Aug 15 11:46:56 2024 +1000 - - Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" - - This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. - -commit 73db68dbf9a1f9ded95a593db36a4960ce06a173 -Author: Raja Grewal -Date: Fri Aug 9 14:27:30 2024 +1000 - - Add details on KFENCE - -commit f8fa89b245d929aee9884937fdcf44a6551df4cf -Author: Raja Grewal -Date: Fri Aug 9 14:21:59 2024 +1000 - - Add details on `tcp_timestamps` - -commit 3456f1c1d7725846ec201c28dd693bf9b07bab89 -Author: Raja Grewal -Date: Fri Aug 9 13:39:25 2024 +1000 - - Minor consistency update in README.md - -commit 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 -Author: Raja Grewal -Date: Fri Aug 9 13:36:47 2024 +1000 - - Add reference on RDRAND - -commit 077bc48a26d1d3f5d1f758d7e251edccba64742b -Author: Raja Grewal -Date: Fri Aug 9 13:35:33 2024 +1000 - - Add reference on `rp_filter` - -commit d8bcec881f66604e29d6e0c1426635e2ad4979f1 -Author: Raja Grewal -Date: Fri Aug 9 13:33:32 2024 +1000 - - Add some notices for future Debian 13 rebase - -commit 0b0683499a6a21e3995a115c377eb19008bc4cd1 -Author: Raja Grewal -Date: Fri Aug 9 13:30:39 2024 +1000 - - Consistent line length formatting - -commit e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 -Author: Raja Grewal -Date: Fri Aug 9 13:30:15 2024 +1000 - - Typo - -commit a5373afc55e789f4657f3d843243e878e4afffa2 -Author: Raja Grewal -Date: Wed Aug 7 14:44:14 2024 +1000 - - Details on disabled `fbdev` kernel modules - -commit e98dc8c4f8af32dd3b10c034477fd2154df189ac -Author: Raja Grewal -Date: Wed Aug 7 14:14:47 2024 +1000 - - Update notifications for disabled kernel modules - -commit 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 -Author: Raja Grewal -Date: Wed Aug 7 14:01:49 2024 +1000 - - Update docs regarding Intel module disabling - -commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 -Author: Raja Grewal -Date: Wed Aug 7 13:48:53 2024 +1000 - - Clarify `secure_redirects` - -commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570 -Author: Raja Grewal -Date: Wed Aug 7 13:33:44 2024 +1000 - - Provide optional `sysctl fs.binfmt_misc.status=0` - -commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 -Author: Patrick Schleizer -Date: Tue Aug 6 14:01:39 2024 +0000 - - bumped changelog version - -commit 967f9e257b09bc73ddb579292d507f7cb9832643 -Merge: fa909186 a25aaf90 -Author: Patrick Schleizer -Date: Tue Aug 6 09:57:56 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a25aaf900a12666046278a9fab6933b3d5670679 -Merge: 6bc039a4 85590793 -Author: Patrick Schleizer -Date: Tue Aug 6 09:55:20 2024 -0400 - - Merge pull request #260 from raja-grewal/vdso32 - - Enable `vdso32=0` - -commit 6bc039a430289342f06857a52a5f13829d6e50f5 -Merge: ce60d561 d102ec19 -Author: Patrick Schleizer -Date: Tue Aug 6 09:52:56 2024 -0400 - - Merge pull request #259 from raja-grewal/kfence - - Enable `kfence.sample_interval=100` - -commit ce60d5615fe99e41c48d459f562d581a688c295a -Merge: b0278428 c0d140f2 -Author: Patrick Schleizer -Date: Tue Aug 6 09:48:08 2024 -0400 - - Merge pull request #258 from raja-grewal/legacy_tiocsti - - Enable `dev.tty.legacy_tiocsti=0` - -commit b0278428a73cd3d329aaa36626005e0c593331f0 -Merge: fa909186 aa34d865 -Author: Patrick Schleizer -Date: Tue Aug 6 09:39:04 2024 -0400 - - Merge pull request #257 from raja-grewal/slab_debug - - Enable `slab_debug=FZ` - -commit 8559079312adb4ed92e5f478120b408dfe7a1124 -Author: Raja Grewal -Date: Mon Aug 5 15:10:02 2024 +1000 - - Enable `vdso32=0` - -commit d102ec19972865032f12f90bffe3e592546f0267 -Author: Raja Grewal -Date: Mon Aug 5 15:07:56 2024 +1000 - - Enable `kfence.sample_interval=100` - -commit c0d140f2211e6490d13e3cd327005027c668905f -Author: Raja Grewal -Date: Mon Aug 5 15:06:34 2024 +1000 - - Enable `dev.tty.legacy_tiocsti=0` - -commit aa34d86598f5b846b007730104e4c99c59f9984d -Author: Raja Grewal -Date: Mon Aug 5 14:27:17 2024 +1000 - - Enable `slab_debug=FZ` - -commit 4f7f82016015f61002ac8f778b61968c572dc7dc -Author: Raja Grewal -Date: Mon Aug 5 14:16:33 2024 +1000 - - Add reference - -commit fa9091869d417c6494840d0cb32623037d70c8be -Merge: 06f0c271 725118c5 -Author: Patrick Schleizer -Date: Sun Aug 4 16:20:36 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 725118c5759b45118bbd2804492526ea2a7c1a81 -Merge: 6d97408a 6d211faf -Author: Patrick Schleizer -Date: Sun Aug 4 16:19:52 2024 -0400 - - Merge pull request #243 from raja-grewal/namespaces - - Restrict unprivileged user namespaces - -commit 06f0c27128a66c1074f405de3139651519e48204 -Merge: 8abc5ae8 6d97408a -Author: Patrick Schleizer -Date: Sun Aug 4 16:15:01 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 6d97408a6d2f002461ae6ca1d647fbf24bf1b99e -Merge: 8abc5ae8 6f14d68c -Author: Patrick Schleizer -Date: Sun Aug 4 16:11:46 2024 -0400 - - Merge pull request #255 from raja-grewal/SLUB - - Restore option to enable `slub_debug=FZ` - -commit 8abc5ae8f0f152c68f855f0e8d993880589c5d5c -Merge: de6f3ea7 eab66dad -Author: Patrick Schleizer -Date: Sun Aug 4 16:09:52 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit eab66dad0994e408c1beaade3fdcf2cd1d605b31 -Merge: de6f3ea7 ca2179bb -Author: Patrick Schleizer -Date: Sun Aug 4 16:08:32 2024 -0400 - - Merge pull request #254 from raja-grewal/patch - - Updates to kernel and `sysctl` hardening - -commit 6f14d68cdcad3784311e33029eba6906ea0784c2 -Author: Raja Grewal -Date: Sat Aug 3 15:12:15 2024 +1000 - - Update legacy name `slub_debug` -> `slab_debug` - -commit 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 -Author: Raja Grewal -Date: Sat Aug 3 15:11:14 2024 +1000 - - Add details about `slub_debug` - -commit b77d1a2b980ae20158aa628eec67b016282d0a40 -Author: Raja Grewal -Date: Sat Aug 3 14:49:48 2024 +1000 - - Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" - - This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. - -commit ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e -Author: Raja Grewal -Date: Sat Aug 3 00:25:49 2024 +1000 - - Provide the option to disable legacy TIOCSTI operation - -commit 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 -Author: Raja Grewal -Date: Sat Aug 3 00:13:38 2024 +1000 - - Provide option to disable 32 bit vDSO mappings - -commit 9099ecce8ae12352f2b739d3d7adf6069488ff49 -Author: Raja Grewal -Date: Sat Aug 3 00:12:50 2024 +1000 - - Provide option to enable the kernel Electric-Fence - -commit f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 -Author: Raja Grewal -Date: Sat Aug 3 00:11:06 2024 +1000 - - Add references to KSPP - -commit e53d24fc48b51a21fc182cc59890e97a1d7ac647 -Author: Raja Grewal -Date: Sat Aug 3 00:09:42 2024 +1000 - - Add missing GRUB command lines for disabled boot parameters - -commit de6f3ea74a5a1408e4351c955ecb7010825364c5 -Author: Patrick Schleizer -Date: Sun Jul 28 20:50:22 2024 +0000 - - bumped changelog version - -commit d036094089e3e3a74df981c50882481273fcb6c0 -Merge: e60ce50d 0f86fbd8 -Author: Patrick Schleizer -Date: Sun Jul 28 15:44:40 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0f86fbd8ceea3157ee035eb9f4a0ff13024f1bc9 -Merge: e60ce50d 73979d43 -Author: Patrick Schleizer -Date: Sun Jul 28 15:43:54 2024 -0400 - - Merge pull request #242 from raja-grewal/ptrace - - Disable the usage of `ptrace()` by all processes - -commit 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 -Author: Raja Grewal -Date: Sun Jul 28 22:04:30 2024 +1000 - - Typo - -commit d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe -Author: Raja Grewal -Date: Sun Jul 28 22:03:33 2024 +1000 - - Typo - -commit 9fbee9fc82768c3b436307459d174378ee471335 -Author: Raja Grewal -Date: Sun Jul 28 21:57:25 2024 +1000 - - Clarify - -commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 -Author: Patrick Schleizer -Date: Sat Jul 27 16:13:35 2024 +0000 - - bumped changelog version - -commit e86b2e7f8fcda5727b158579610cb6a0354e89cf -Author: Patrick Schleizer -Date: Sat Jul 27 12:13:18 2024 -0400 - - output - -commit 144545762674e914046bb94100237329320e8ece -Author: Raja Grewal -Date: Sat Jul 27 14:00:30 2024 +1000 - - Show details regarding `secure_redirects` (again) - -commit 73979d4342dae2017be52d5182bb66fa28be398d -Author: Raja Grewal -Date: Sat Jul 27 13:28:59 2024 +1000 - - Link to `ptrace()` discussion - -commit 1c9f33f90606fb930744f1b9afc11caf87626194 -Author: Raja Grewal -Date: Sat Jul 27 13:24:08 2024 +1000 - - Revert "Disable the usage of `ptrace()` by all processes" - - This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. - -commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb -Author: Patrick Schleizer -Date: Fri Jul 26 15:40:24 2024 +0000 - - bumped changelog version - -commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 -Merge: 7969e860 886f6095 -Author: Patrick Schleizer -Date: Fri Jul 26 11:10:25 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 886f6095dba71d76d5fd98277374417657e0cd31 -Merge: 7969e860 ed333669 -Author: Patrick Schleizer -Date: Fri Jul 26 11:08:30 2024 -0400 - - Merge pull request #250 from raja-grewal/Panik-Kalm - - Add details on "oopes" and kernel panics - -commit 7969e8607160eae0cb5a3adddeec8d07c1d6e097 -Merge: e2ae93a9 0318f577 -Author: Patrick Schleizer -Date: Fri Jul 26 11:06:13 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0318f577ab554ae2ac0f9417b18134723ea2b580 -Merge: e2ae93a9 4397de01 -Author: Patrick Schleizer -Date: Fri Jul 26 11:04:29 2024 -0400 - - Merge pull request #246 from raja-grewal/cfi - - Provide the option to change the default CFI implementation in the future - -commit e2ae93a9571f2f0c9077ea61436a540a3be5a894 -Author: Patrick Schleizer -Date: Fri Jul 26 10:30:45 2024 -0400 - - port to safe_echo - -commit 8ec23ed7128580ed0092df43945ba55e94163a6d -Author: Patrick Schleizer -Date: Fri Jul 26 10:28:57 2024 -0400 - - echo does not support end-of-options - -commit 6096ed1109a0d5a62a844552fee500ebe66071c8 -Author: Patrick Schleizer -Date: Fri Jul 26 10:26:43 2024 -0400 - - comment - -commit ac41d1cfff8b722248a5ef1dfe38a8c704f04134 -Author: Patrick Schleizer -Date: Fri Jul 26 10:25:59 2024 -0400 - - comment - -commit 3b033ceba24e5e14056d54710d782397e5c669df -Author: Patrick Schleizer -Date: Fri Jul 26 10:17:24 2024 -0400 - - shellcheck - -commit 04d9ca1ebe79cae5cce04b6533285b8d1299d692 -Author: Patrick Schleizer -Date: Fri Jul 26 10:16:20 2024 -0400 - - use `find` with `safe_echo_nonewline` - -commit 20454fb81157f1f962f36d9c37d34f4ac650a1e6 -Merge: 28b25bda 6bbf176e -Author: raja-grewal -Date: Sat Jul 27 00:09:30 2024 +1000 - - Merge branch 'Kicksecure:master' into blacklist_to_disable - -commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c -Author: Patrick Schleizer -Date: Fri Jul 26 09:33:45 2024 -0400 - - consider end-of-options for `find` - -commit 794f6a25fa87a9d6d796b07ee06b690ea0badc92 -Author: Patrick Schleizer -Date: Fri Jul 26 09:08:29 2024 -0400 - - comment - -commit 7e0f1a87010674c63963b70c87e903cf27b288ef -Author: Patrick Schleizer -Date: Fri Jul 26 09:08:04 2024 -0400 - - dpkg-statoverride can actually handle '--file-name'. - -commit ee037c01a1208b9247c3ae144fa3faa68657ffdb -Author: Patrick Schleizer -Date: Fri Jul 26 08:58:44 2024 -0400 - - Skip file names starting with '--', - - because this would be interpreted by dpkg-statoverride as an option. - -commit 82d401a7de58b74448113bed36c8f0cc073c7f82 -Author: Patrick Schleizer -Date: Fri Jul 26 08:52:42 2024 -0400 - - sanity test - -commit 0e661bc688c7222840c9d83fb3ccab6549b3ac11 -Author: Patrick Schleizer -Date: Fri Jul 26 08:49:14 2024 -0400 - - output - -commit d144f68d1a06a1153c4178b2f6ba9643dededbb8 -Author: Patrick Schleizer -Date: Fri Jul 26 08:46:08 2024 -0400 - - output - -commit 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a -Author: Patrick Schleizer -Date: Fri Jul 26 08:40:10 2024 -0400 - - minor - -commit d96c0633d431dafd034ae8d1ae0ffbb59c49be4a -Author: Patrick Schleizer -Date: Fri Jul 26 08:39:11 2024 -0400 - - more use of end of options - -commit 8e40c10c319a76e0256c8f135182b0ca7f532f85 -Author: Patrick Schleizer -Date: Fri Jul 26 08:31:17 2024 -0400 - - comment - -commit f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 -Author: Patrick Schleizer -Date: Fri Jul 26 08:26:16 2024 -0400 - - output - -commit 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 -Author: Patrick Schleizer -Date: Fri Jul 26 08:24:23 2024 -0400 - - cleanup - -commit 6f0551b944cbf83d82f7a1a554c4461bc971520b -Author: Patrick Schleizer -Date: Fri Jul 26 08:23:54 2024 -0400 - - refactoring - -commit aac450f80836b03478b9e2632afc5a4519f9b37a -Author: Patrick Schleizer -Date: Fri Jul 26 08:22:04 2024 -0400 - - refactoring - -commit 30f46790a4df7662926fa43d44ac34c3286dd590 -Author: Patrick Schleizer -Date: Fri Jul 26 08:21:21 2024 -0400 - - use end of options whenever possible - -commit 95722d6d7902367afb44175263a8628df9ad01b2 -Author: Patrick Schleizer -Date: Fri Jul 26 08:13:33 2024 -0400 - - use long option name - -commit 19f131c7426aaa5199504e75aba180a7771a2520 -Author: Patrick Schleizer -Date: Fri Jul 26 08:07:08 2024 -0400 - - code simplification - - https://github.com/Kicksecure/security-misc/pull/251 - -commit 9694cf0cd1a225c68d45814e0f4d6995659a0066 -Author: Patrick Schleizer -Date: Fri Jul 26 07:43:59 2024 -0400 - - output - -commit bdfe764f9d805b14dca4196e623e81ce95145d9b -Merge: 9f135231 652a06c8 -Author: Patrick Schleizer -Date: Fri Jul 26 07:19:05 2024 -0400 - - Merge remote-tracking branch 'ben-grande/stat-dedup' - -commit 9f135231ccdc3f6eba27db2e1794eff23f03fc0f -Author: Patrick Schleizer -Date: Fri Jul 26 06:43:01 2024 -0400 - - no longer disable Intel ME related kernel modules - - because that might break firmware updates - - This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. - - https://github.com/Kicksecure/security-misc/issues/239 - -commit f616da7c0690fc0dffc21be59174ed8754ec55fb -Author: Patrick Schleizer -Date: Fri Jul 26 09:40:59 2024 +0000 - - bumped changelog version - -commit 4397de0138dac47aee66570fcfe4ef38c8179321 -Author: Raja Grewal -Date: Fri Jul 26 11:30:46 2024 +1000 - - Update description of `cfi=kcfi` kerenel parameter - -commit 652a06c8e9f841e043cc5b5fb030b149cb70dc85 -Author: Ben Grande -Date: Thu Jul 25 12:37:21 2024 +0200 - - Only print SUID or SGID values when set - -commit 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e -Author: Ben Grande -Date: Thu Jul 25 12:20:16 2024 +0200 - - Unduplicate stat call - -commit 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 -Author: Raja Grewal -Date: Thu Jul 25 15:51:32 2024 +1000 - - Partial inclusion of GrapheneOS infrastructure blacklist - -commit ed3336694ce35614ab47db42bce29d3c69d46752 -Author: Raja Grewal -Date: Thu Jul 25 10:28:27 2024 +1000 - - Provide the option to immediately reboot on a kernel panics - -commit 3926b91dcf371377d38c747e5c7718ac2fed3c83 -Author: Raja Grewal -Date: Thu Jul 25 10:26:23 2024 +1000 - - Add documentation on `sysctl kernel.panic_on_oops=1` - -commit f699eb02a27ef54b9ced5866447b63152984af66 -Author: Raja Grewal -Date: Thu Jul 25 10:11:33 2024 +1000 - - Set `sysctl fs.binfmt_misc.status=0` - -commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 -Author: Patrick Schleizer -Date: Wed Jul 24 13:31:49 2024 -0400 - - todo - -commit 4cc1289e89b341e15725d65e405e607ea4784f9f -Author: Patrick Schleizer -Date: Wed Jul 24 13:30:30 2024 -0400 - - output - -commit 10c73b326f824f783169383888b9464965a53cbb -Author: Patrick Schleizer -Date: Wed Jul 24 12:07:26 2024 -0400 - - fix delimiter parsing - -commit a16dd8474bf72c2b8c63adc7500140e89d19fedb -Author: Patrick Schleizer -Date: Wed Jul 24 11:50:30 2024 -0400 - - sanity test - -commit cc2b335ee692cc04a2c4e298902f3503927b2c50 -Author: Patrick Schleizer -Date: Wed Jul 24 11:48:32 2024 -0400 - - cleanup - -commit 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:47:52 2024 -0400 - - output - -commit cda0d26af7c057dab8edf4897f98c2e8f83e3d56 -Author: Patrick Schleizer -Date: Wed Jul 24 11:45:13 2024 -0400 - - cannot use NULL inside a bash variable - - use custom delimiter instead - -commit 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 -Author: Patrick Schleizer -Date: Wed Jul 24 11:27:51 2024 -0400 - - output - -commit 3bf1f26c0bb271d63c16b314e4da040abf5b3713 -Author: Patrick Schleizer -Date: Wed Jul 24 11:20:26 2024 -0400 - - downgrade warning of non-existing folders to info - - to avoid all users by default getting a warning for expected non-existing folders - -commit 151ca659a9f5565744ff57f3b581c8c051def148 -Author: Patrick Schleizer -Date: Wed Jul 24 11:19:15 2024 -0400 - - output - -commit c9fd2ceb61ea176c731432f02a9fa40652fbddc8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:13:35 2024 -0400 - - downgrade warning of non-existing files to info - - to avoid all users by default getting a warning for expected non-existing files - -commit 721392901be384014298f59deb57747b825c8b37 -Author: Patrick Schleizer -Date: Wed Jul 24 11:12:39 2024 -0400 - - remove duplicate test - -commit 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:12:18 2024 -0400 - - output - -commit 00911df5c1de24960ad6d21b4cd99450f2d08a88 -Author: Patrick Schleizer -Date: Wed Jul 24 11:10:56 2024 -0400 - - modify call of stat to use NUL delimiter - - for more robust string parsing - -commit d5366835112cc5fabef7ec46a9c582c08121cb14 -Author: Patrick Schleizer -Date: Wed Jul 24 11:03:28 2024 -0400 - - local clean_output_prefix clean_output - -commit a6e517736b83c124cf8cec52bac184612a29ad0d -Author: Patrick Schleizer -Date: Wed Jul 24 11:02:25 2024 -0400 - - local stat_output - -commit ced02fb9e03e12c7d51923511e7d6a54b09a6274 -Author: Patrick Schleizer -Date: Wed Jul 24 11:01:24 2024 -0400 - - add sanity test for file_name output from stat - -commit b9dfe70a016e46e1f275918be19890526182cfa2 -Author: Patrick Schleizer -Date: Wed Jul 24 10:58:05 2024 -0400 - - check first if file_name is empty - -commit 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 -Author: Patrick Schleizer -Date: Wed Jul 24 10:57:13 2024 -0400 - - check first if array is empty before parsing further - -commit a077ae54ea050af8828813b781738cba24e27624 -Author: Patrick Schleizer -Date: Wed Jul 24 10:56:08 2024 -0400 - - modify call of stat to use NUL delimiter - - for more robust string parsing - -commit 1135d34ab334c9b39e51a147dc94df568f982512 -Author: Raja Grewal -Date: Wed Jul 24 23:33:36 2024 +1000 - - Reword description of `cfi=kcfi` kerenel parameter - -commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 -Author: Patrick Schleizer -Date: Wed Jul 24 09:15:02 2024 -0400 - - output - -commit 1b6161c2dcd9a0686503c84cda4c9f6a29fe4e02 -Merge: d2563ed9 8be21b6e -Author: Patrick Schleizer -Date: Wed Jul 24 09:13:48 2024 -0400 - - Merge remote-tracking branch 'ben-grande/fuzz' - -commit 88c88187f2909322211cc08598717068ea7cf1d1 -Author: Raja Grewal -Date: Wed Jul 24 17:26:50 2024 +1000 - - Re-enable (default) `secure_redirects` for ICMP redirect messages - -commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f -Author: Ben Grande -Date: Tue Jul 23 19:36:12 2024 +0200 - - Handle newlines in file names - -commit aa99de68d307cd88462665424996d9b730ab5087 -Author: Ben Grande -Date: Tue Jul 23 18:46:47 2024 +0200 - - Log output with defined levels - -commit 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 -Author: Ben Grande -Date: Tue Jul 23 09:55:02 2024 +0200 - - Prettify log messages - -commit fb494c2ba5b7fd0f864a59896710d9cddf92b458 -Author: Raja Grewal -Date: Tue Jul 23 13:12:13 2024 +1000 - - Update docs relating to the `cfi=kcfi` kernel parameter - -commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 -Author: Ben Grande -Date: Mon Jul 22 17:06:07 2024 +0200 - - Unify functions that evaluate commands - -commit 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed -Author: Ben Grande -Date: Mon Jul 22 16:01:14 2024 +0200 - - Delimit file names with null terminator - -commit d6fc71dba78a9c871015ebdde3bef61943369b47 -Author: Raja Grewal -Date: Mon Jul 22 17:26:00 2024 +1000 - - Add option to switch (back) to using kCFI in the future - -commit f582e543434ba20a2fb7f7300058f7c8a7d62878 -Merge: a189956a d2563ed9 -Author: raja-grewal -Date: Mon Jul 22 15:12:00 2024 +1000 - - Merge branch 'Kicksecure:master' into blacklist_to_disable - -commit d2563ed92317a029340dbb83f30da008b01325f2 -Author: Patrick Schleizer -Date: Sun Jul 21 10:40:14 2024 +0000 - - bumped changelog version - -commit 64f8b2eb5870664fca06aa060f2f50af358ced55 -Author: Patrick Schleizer -Date: Sun Jul 21 06:36:22 2024 -0400 - - Revert "no longer disable Intel ME related kernel modules" - - This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. - - https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules - - https://github.com/Kicksecure/security-misc/issues/239 - -commit 4cae74d610ad37066e8a334019cfa5c82f088a2e -Author: monsieuremre -Date: Sun Jul 21 11:19:32 2024 +0200 - - Update 30_security-misc.conf - -commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 -Author: Patrick Schleizer -Date: Sat Jul 20 17:02:05 2024 +0000 - - bumped changelog version - -commit f0a478c7c91697988926a73d3a1880dd8caaca68 -Author: Patrick Schleizer -Date: Sat Jul 20 12:57:56 2024 -0400 - - permission hardener: allow postfix - - postqueue matchwhitelist - postdrop matchwhitelist - -commit a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 -Author: Raja Grewal -Date: Sat Jul 20 20:11:09 2024 +1000 - - Typo - -commit 3c720a0715191c858e8d1df9795dddfea5dbdcf1 -Author: Raja Grewal -Date: Sat Jul 20 15:03:21 2024 +1000 - - Disable some legacy drivers - These were all previously blacklisted for over 2 years. - -commit c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 -Author: Raja Grewal -Date: Sat Jul 20 14:55:10 2024 +1000 - - Disable legacy framebuffer drivers - These were all previously blacklisted for over 2 years. - -commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe -Author: Patrick Schleizer -Date: Fri Jul 19 07:20:59 2024 -0400 - - undo io_uring related changes - - as these should be done in a separate pull request (if apprpriate) - - https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 - -commit 8791aecb38a41aa0b0c108505726bc6a1ace903e -Merge: 2d114364 06894d1c -Author: Patrick Schleizer -Date: Fri Jul 19 07:19:09 2024 -0400 - - Merge remote-tracking branch 'raja/fixes' - -commit 06894d1c98e91f43af58cc438559ea76b6a361e3 -Author: Raja Grewal -Date: Fri Jul 19 18:30:42 2024 +1000 - - Typo - -commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 -Author: Patrick Schleizer -Date: Thu Jul 18 18:05:07 2024 +0000 - - bumped changelog version - -commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 -Author: Patrick Schleizer -Date: Thu Jul 18 14:04:00 2024 -0400 - - comment - -commit a5eed00eba76f83c310f62d000830f38b0e87d21 -Author: Patrick Schleizer -Date: Thu Jul 18 14:02:38 2024 -0400 - - cleanup comments - -commit 21efacf1b111d9599e72cef23b791cf4961c04c3 -Author: Patrick Schleizer -Date: Thu Jul 18 14:00:28 2024 -0400 - - cleanup duplicate comments which are already in `/etc/dkms/framework.conf` - -commit 61628c2baf58ca2859bc5fc99782985ef0822750 -Author: Patrick Schleizer -Date: Thu Jul 18 14:11:35 2024 +0000 - - bumped changelog version - -commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 -Author: Patrick Schleizer -Date: Thu Jul 18 10:11:03 2024 -0400 - - no comments / copyright allowed in .displace-extension - -commit 2ccc95f6d44bacd3da97d586542695f33d5faf38 -Author: Patrick Schleizer -Date: Thu Jul 18 14:05:23 2024 +0000 - - bumped changelog version - -commit 95286df50274953326accb615487e21d409b652a -Author: Raja Grewal -Date: Thu Jul 18 15:28:31 2024 +1000 - - Update README.md regarding secure ICMP redirects - -commit 13cc1f0986033855a399b50442a86a8d8552eb96 -Author: Raja Grewal -Date: Thu Jul 18 12:25:00 2024 +1000 - - Clarify (future) disabling of `io_uring` - -commit 9e6facda7017498e8310a9c39403e95e81c5a903 -Author: Raja Grewal -Date: Thu Jul 18 12:21:37 2024 +1000 - - Update module disabling presentation - -commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 -Author: Raja Grewal -Date: Thu Jul 18 12:19:27 2024 +1000 - - Typos - -commit 6d211faf591608ea6e7f484e8bc69dd567877abf -Author: Raja Grewal -Date: Thu Jul 18 11:04:54 2024 +1000 - - Restrict unprivileged user namespaces - -commit b04828f858fa6d101099773d3156841fd6d33b6f -Author: Raja Grewal -Date: Thu Jul 18 11:01:41 2024 +1000 - - Disable the usage of `ptrace()` by all processes - -commit d454f36c63bd653e47353fb1c93107b2d5584fe2 -Author: Patrick Schleizer -Date: Wed Jul 17 11:52:29 2024 -0400 - - spelling - -commit f4da582aa31b869413aef6f4e252b7985e961339 -Author: Patrick Schleizer -Date: Wed Jul 17 11:44:17 2024 -0400 - - spelling - -commit 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 -Author: Patrick Schleizer -Date: Wed Jul 17 11:40:51 2024 -0400 - - spelling - -commit b569fc02a4650187e69b62b95439c05ee2611e91 -Author: Patrick Schleizer -Date: Wed Jul 17 11:38:53 2024 -0400 - - spelling - -commit a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 -Author: Patrick Schleizer -Date: Wed Jul 17 11:04:03 2024 -0400 - - spelling - -commit c8be4ac83c2563798ee35d56200eb8d11a2c32e3 -Author: Patrick Schleizer -Date: Wed Jul 17 10:56:14 2024 -0400 - - comment - -commit 24cd70a014b221b25669755b955bc114fe083643 -Author: Patrick Schleizer -Date: Wed Jul 17 10:55:12 2024 -0400 - - spelling - -commit 5cec685cf9b0845838f17fba78ac65d6c2e63386 -Author: Patrick Schleizer -Date: Wed Jul 17 10:49:21 2024 -0400 - - spelling - -commit 821a416fe39e11ca030c63f25a5220772d80eae5 -Author: Patrick Schleizer -Date: Wed Jul 17 10:43:16 2024 -0400 - - spelling - -commit 9a387f95e9346030e2adc3252a45942949561b52 -Merge: fd41acdc 4afe257a -Author: Patrick Schleizer -Date: Wed Jul 17 10:32:26 2024 -0400 - - Merge remote-tracking branch 'raja/miscellaneous' - -commit fd41acdc721a6463813bc347cb965b6211fb9447 -Merge: 0da22c20 1087387b -Author: Patrick Schleizer -Date: Wed Jul 17 10:27:31 2024 -0400 - - Merge remote-tracking branch 'raja/fack_off' - -commit 4afe257a42576158a54a68948440a2b4c043b67c -Author: Raja Grewal -Date: Thu Jul 18 00:14:13 2024 +1000 - - minor - -commit d0a59617f6b8a90fd5c758699e910af9d7496c98 -Author: Raja Grewal -Date: Thu Jul 18 00:13:30 2024 +1000 - - Add missing Copyright (C) statements - -commit 8f3896c3dac13b604e36d4249f976598f271a215 -Author: Raja Grewal -Date: Wed Jul 17 23:44:37 2024 +1000 - - Upgrade hyperlinks to HTTPS - -commit 1087387b362d5598e44262db07ab0fff9118b064 -Author: Raja Grewal -Date: Wed Jul 17 23:35:25 2024 +1000 - - Remove obsolete `#net.ipv4.tcp_fack=0` - -commit 0da22c20316c8f0f574e0127926506e52ccbc269 -Author: Patrick Schleizer -Date: Wed Jul 17 09:07:31 2024 -0400 - - minor - -commit c336b266f61528cce27e1cafac6377370927a787 -Merge: afe3c25a df803852 -Author: Patrick Schleizer -Date: Wed Jul 17 09:06:44 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit df80385289717fee0266436d056c9aedd0fb06af -Merge: afe3c25a 724435e5 -Author: Patrick Schleizer -Date: Wed Jul 17 09:04:18 2024 -0400 - - Merge pull request #237 from raja-grewal/intel_pmt - - Disable some Intel PMT kernel modules - -commit afe3c25a49940f7f322414c08e8dbd631e696215 -Author: Patrick Schleizer -Date: Wed Jul 17 08:58:00 2024 -0400 - - update readme - - https://github.com/Kicksecure/security-misc/issues/239 - -commit f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 -Author: Patrick Schleizer -Date: Wed Jul 17 08:57:35 2024 -0400 - - minor - -commit 6157e328f40a7f3780208489b1ffecef8e6d738a -Author: Patrick Schleizer -Date: Wed Jul 17 08:52:11 2024 -0400 - - no longer disable Intel ME related kernel modules - - https://github.com/Kicksecure/security-misc/issues/239 - -commit daee8b900b3057235aedc17b1231c3c05599140c -Merge: 954ff1be a4ba6e48 -Author: Patrick Schleizer -Date: Wed Jul 17 08:47:55 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a4ba6e485d94512fdf737b9f66137c3f692c9904 -Merge: 9a751356 abafb194 -Author: Patrick Schleizer -Date: Wed Jul 17 08:46:27 2024 -0400 - - Merge pull request #236 from raja-grewal/intel_me - - Disable more Intel ME kernel modules - -commit 954ff1be41288b5fa2e50d492d92544915f93bb5 -Merge: d29a6161 9a751356 -Author: Patrick Schleizer -Date: Wed Jul 17 08:42:52 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 9a75135633ad172f7cbf318e1206865493c28bb4 -Merge: d29a6161 a3408990 -Author: Patrick Schleizer -Date: Wed Jul 17 08:41:43 2024 -0400 - - Merge pull request #238 from raja-grewal/uvcvideo_2 - - Minor additions to `30_security-misc_disable.conf` - -commit d29a616142562492db6c45c299f002100e905828 -Author: Patrick Schleizer -Date: Wed Jul 17 08:39:20 2024 -0400 - - minor - -commit a2802f352fc7021ead0d431c665cc16b2821ae0b -Merge: 0b873b76 81a3715c -Author: Patrick Schleizer -Date: Wed Jul 17 08:38:23 2024 -0400 - - Merge remote-tracking branch 'raja/kargs' - -commit 0b873b765e20b06113d808075fa95c8acbb1e0fc -Author: Patrick Schleizer -Date: Wed Jul 17 08:05:27 2024 -0400 - - minor - -commit 070bb46a08afcd84fb638472c39bd543bad4fb17 -Merge: 6d6e5473 25fd532c -Author: Patrick Schleizer -Date: Wed Jul 17 08:02:45 2024 -0400 - - Merge remote-tracking branch 'raja/sysctl' - -commit 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a -Author: Patrick Schleizer -Date: Wed Jul 17 08:00:24 2024 -0400 - - minor - -commit cf5f0edbb85589a72ec891e9c3e090f9e81c4fda -Merge: fe5c840b 693b47e6 -Author: Patrick Schleizer -Date: Wed Jul 17 07:59:35 2024 -0400 - - Merge remote-tracking branch 'raja/sysctl' - -commit 25fd532ce62399d5bb42d844ad32b5128eaf748d -Author: Raja Grewal -Date: Wed Jul 17 21:56:40 2024 +1000 - - Update README.md relating to `sysctl`'s - -commit 39fd125eb0f0c16c8a64933bbd04709287a2686a -Author: Raja Grewal -Date: Wed Jul 17 21:44:44 2024 +1000 - - Provide explanation on the disabling of IPv6 Privacy Extensions - -commit a3408990ab439e6edbf8691cf7d65fb16c0d24df -Author: Raja Grewal -Date: Wed Jul 17 15:03:39 2024 +1000 - - Uncomment disabling of already disabled ATM modules - -commit 693b47e6235528ab7a9032818cce22fd63a4f5ea -Author: Raja Grewal -Date: Wed Jul 17 14:58:30 2024 +1000 - - Clarify ICMP redirect acceptance and sending - -commit 81a3715c7c0b73796a62297ebe55e861a46f7686 -Author: Raja Grewal -Date: Wed Jul 17 13:32:08 2024 +1000 - - Add info regarding the downsides of disabling SMT - -commit abafb1945cace774429fefd0c1a037fb2ec3f774 -Author: Raja Grewal -Date: Wed Jul 17 13:26:03 2024 +1000 - - Add Intel ME references - -commit f317aaebab126bafe3cfaef8159bf0820c392c87 -Author: Raja Grewal -Date: Wed Jul 17 01:09:02 2024 +1000 - - Disable two network modules - These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. - -commit d69fe88091c7212a9af86306c797aed40398584b -Author: Raja Grewal -Date: Wed Jul 17 01:08:01 2024 +1000 - - Provide option to disable `uvcvideo` driver - -commit 49594ccb223c09d70f00434e5875c9dae1a2360d -Author: Raja Grewal -Date: Wed Jul 17 00:49:25 2024 +1000 - - Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 - -commit 824d9b82e53485eed8eaf24e9815ac07ad0f2406 -Author: Raja Grewal -Date: Wed Jul 17 00:36:18 2024 +1000 - - Uncomment redundant disabling of TCP FACK` - -commit d1119c38b6ad4193919d4b800de0a3cb014f92c1 -Author: Raja Grewal -Date: Wed Jul 17 00:31:23 2024 +1000 - - Apply changes from code review - -commit fe5c840b79c4aabd5c21a286d3ce1a3ee460812c -Author: Patrick Schleizer -Date: Mon Jul 15 21:18:55 2024 +0000 - - bumped changelog version - -commit 6e63fc8985b97902dbae2553ded51950168dc222 -Merge: fe0846c8 b7796a53 -Author: Patrick Schleizer -Date: Mon Jul 15 17:14:25 2024 -0400 - - Merge remote-tracking branch 'ben-grande/fuzz' - -commit fe0846c8c2bdfc0534850b1e9bf9c4130381def9 -Author: Patrick Schleizer -Date: Mon Jul 15 12:30:38 2024 -0400 - - fix - - https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 - -commit 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 -Author: Patrick Schleizer -Date: Mon Jul 15 12:29:52 2024 -0400 - - further discussion required - - https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 - -commit 41f0b53dd62d2968a6ff88a6fd907ca42f581847 -Merge: 5ba5a85a 9300c208 -Author: Patrick Schleizer -Date: Mon Jul 15 12:28:03 2024 -0400 - - Merge remote-tracking branch 'raja/kernel_modules' - -commit 73f6d4b26f51f0c920fe020677f464c536d75410 -Author: Raja Grewal -Date: Tue Jul 16 01:03:41 2024 +1000 - - Fix transcription error - -commit 724435e56ea059183241044a4fc09423187533eb -Author: Raja Grewal -Date: Mon Jul 15 22:38:43 2024 +1000 - - Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules - -commit 61941da37509a4bb809212536b79f461a209f584 -Author: Raja Grewal -Date: Mon Jul 15 22:38:09 2024 +1000 - - Create `disabled-intelpmt-by-security-misc` - -commit 22ba7a7c393a8c9005dfe26aea396815a4d54803 -Author: Raja Grewal -Date: Mon Jul 15 22:21:20 2024 +1000 - - Disable more Intel Management Engine (ME) modules - -commit 9300c208e25d936f2c633a0904126566afc1c275 -Author: Raja Grewal -Date: Mon Jul 15 21:36:25 2024 +1000 - - Fix script - -commit f2db11269e89d4c945642b661aa9cbe356f89037 -Author: Raja Grewal -Date: Mon Jul 15 21:18:32 2024 +1000 - - Fix script - -commit 382f1e9ec00ab5f012f028fa324d6cf73040c37d -Author: Raja Grewal -Date: Mon Jul 15 21:13:25 2024 +1000 - - Fix error - -commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c -Author: Raja Grewal -Date: Mon Jul 15 21:10:13 2024 +1000 - - Updated wording of error files for disabled modules - -commit fda3832eaf293915ab77ce73a0be2caec15e21fa -Author: Raja Grewal -Date: Mon Jul 15 21:08:45 2024 +1000 - - Replace bash file presented for disabling of miscellaneous modules - -commit 8219a1e257525d487a49e7b3a6b14c1e180a7b52 -Author: Raja Grewal -Date: Mon Jul 15 21:02:10 2024 +1000 - - Update README.md relating to disabled miscellaneous modules - -commit cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c -Author: Raja Grewal -Date: Mon Jul 15 21:01:36 2024 +1000 - - Disable more miscellaneous drivers - -commit c52b1a3fd269ef4f98028dd5eead476abe5d138d -Author: Raja Grewal -Date: Mon Jul 15 20:58:45 2024 +1000 - - Create `disabled-miscellaneous-by-security-misc` - -commit 96aa63267a6fcee03f252f0791f37b7b6222a7c1 -Author: Raja Grewal -Date: Mon Jul 15 20:57:14 2024 +1000 - - Disable more Thunderbolt modules - -commit 51f7776bc8722752d53fc503b0c79564d8715d4c -Author: Raja Grewal -Date: Mon Jul 15 20:56:12 2024 +1000 - - Disable more network protocols/drivers - -commit 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 -Author: Raja Grewal -Date: Mon Jul 15 20:54:18 2024 +1000 - - Disable more network file systems - -commit 82c5a93f7cf2846490120c5262a146a313a5ce47 -Author: Raja Grewal -Date: Mon Jul 15 20:53:07 2024 +1000 - - Disable another GPS module - -commit 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 -Author: Raja Grewal -Date: Mon Jul 15 20:47:56 2024 +1000 - - Disable more file systems - -commit 4476a477a77c98cf4334fbcb866bc8f113f568ac -Author: Raja Grewal -Date: Mon Jul 15 20:47:07 2024 +1000 - - Provide option to disable more Bluetooth modules - -commit e0696d02a234e6f7ab9fb601ffe58e7d953846a2 -Author: Raja Grewal -Date: Mon Jul 15 20:46:04 2024 +1000 - - Update `security-misc.maintscript` - Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. - -commit b2657bc61fb15bb89d62f0743a36835c1f0dda8a -Author: Raja Grewal -Date: Mon Jul 15 15:05:00 2024 +1000 - - Improve docs - -commit 1c2afc1f253e15d2605d1bef0e323e6e972a2484 -Author: Raja Grewal -Date: Mon Jul 15 15:01:48 2024 +1000 - - Update presentation of the `kernel.printk` sysctl - -commit c8385d82fbd6ba16ba1f0b4969661474966b74f1 -Author: Raja Grewal -Date: Mon Jul 15 14:57:40 2024 +1000 - - Clarify instructions for increasing log verbosity - -commit d229e8b04d914803fa66c3a695022cfb2d9b2a25 -Author: Raja Grewal -Date: Mon Jul 15 14:50:29 2024 +1000 - - Fix link - -commit fbfdb0fa99087e4160979b612db04e63a1d3e3b1 -Author: Raja Grewal -Date: Mon Jul 15 14:40:03 2024 +1000 - - Update `security-misc.maintscript` relating to grub - -commit f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 -Author: Raja Grewal -Date: Mon Jul 15 14:39:12 2024 +1000 - - Update presentation of `quiet loglevel=0` - -commit 69c8e849270393537d3e024137bc20a42c848333 -Author: Raja Grewal -Date: Mon Jul 15 14:38:21 2024 +1000 - - Fix typos - -commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 -Author: Raja Grewal -Date: Mon Jul 15 02:04:25 2024 +1000 - - Remove the optional `slub_debug` parameter since it is no longer recommended - -commit 99038c7a0621f5c9852638c1706c5306b42e6480 -Author: Raja Grewal -Date: Mon Jul 15 02:02:01 2024 +1000 - - Add option to disable support for x86 processes and syscalls in the future - -commit f550fbe07cafb75112e98268730d1bcc511489e2 -Author: Raja Grewal -Date: Mon Jul 15 01:59:04 2024 +1000 - - Add option to disable the entire IPv6 stack functionality - -commit a33d4cd099b8cbf569ff35627eeacf3562a4371e -Author: Raja Grewal -Date: Mon Jul 15 01:56:25 2024 +1000 - - Refactor existing kernel parameters for clarity - -commit acd60e45d8cbc98ea935c9bf035f2840622ab58d -Author: Raja Grewal -Date: Sun Jul 14 20:07:31 2024 +1000 - - Add comment about enabling core dump files - -commit 5cf9afc21563712b851850e2041141807503807c -Author: Raja Grewal -Date: Sun Jul 14 17:05:49 2024 +1000 - - Include optional `sysctl`'s in README.md - -commit 2b9e174c9db69f2c30828aae236c631d46255e07 -Author: Raja Grewal -Date: Sun Jul 14 16:22:52 2024 +1000 - - Remove empty lines - -commit dd1741c4a1cd18f34f69437c00f3a78a9ebd402a -Author: Raja Grewal -Date: Sun Jul 14 13:40:53 2024 +1000 - - Some documentation additions and fixes - -commit 565597c9a282b08697d04204f5eb9c22153e77bd -Author: Raja Grewal -Date: Sun Jul 14 01:21:24 2024 +1000 - - Minor documentation changes and fixes - -commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 -Author: Patrick Schleizer -Date: Sat Jul 13 15:01:16 2024 +0000 - - bumped changelog version - -commit ad860063aba0443a8ac8b9cf191d008617d6d904 -Merge: f34b9d7c 9f582665 -Author: Patrick Schleizer -Date: Sat Jul 13 10:55:45 2024 -0400 - - Merge remote-tracking branch 'raja/modprobe' - -commit 9f582665467fd4fdf20c83841305785024bceedf -Author: Raja Grewal -Date: Sat Jul 13 23:32:01 2024 +1000 - - Move nf_conntrack_helper disabling into separate file - -commit 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a -Author: Raja Grewal -Date: Sat Jul 13 23:30:55 2024 +1000 - - Clarify README.mmd relating to module disabling - -commit 98580bb39a495a141e7b40792fd9d232fcf29d23 -Author: Raja Grewal -Date: Sat Jul 13 23:29:52 2024 +1000 - - Update modprobe presentation - -commit 2de3a795990234134be15be90aa55f547c064d92 -Author: Raja Grewal -Date: Sat Jul 13 22:41:40 2024 +1000 - - Refactor existing sysctl for clarity - -commit f34b9d7c45cd723535eedd3df99896ee7f852388 -Merge: 05c1711b 5f10cc8b -Author: Patrick Schleizer -Date: Sat Jul 13 06:14:43 2024 -0400 - - Merge remote-tracking branch 'raja/modules' - -commit 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e -Author: Raja Grewal -Date: Fri Jul 12 16:22:10 2024 +1000 - - Update README.md relating to modprobe - -commit 41a3bf92fbdac88a1884dee735600cafa35134bf -Author: Raja Grewal -Date: Fri Jul 12 16:21:41 2024 +1000 - - Sort `30_security-misc_disable.conf` - -commit f31dc8aebc652b2037c375351fc478d9b5ba4c27 -Author: Raja Grewal -Date: Fri Jul 12 16:21:03 2024 +1000 - - Fix error in error script - -commit b02230a783941da412be72fb52053db0c6b8010f -Author: Raja Grewal -Date: Fri Jul 12 02:42:37 2024 +1000 - - Split modprobe into blacklisted and disabled configurations - -commit fc792ff23234399ed299c3fdc086d47c87d9b4a3 -Author: Raja Grewal -Date: Fri Jul 12 02:29:36 2024 +1000 - - Alphabetically sort existing modprobe - -commit fe20f3240e2f31099bcaa9f9e2045320df810edf -Author: Raja Grewal -Date: Fri Jul 12 02:28:48 2024 +1000 - - Refactor existing modprobe for clarity - -commit 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 -Author: Raja Grewal -Date: Fri Jul 12 02:27:56 2024 +1000 - - Remove redundant disabled modules - -commit b7796a5334075d5fa538d7579003fde6287d7e6d -Author: Ben Grande -Date: Thu Jul 11 11:04:22 2024 +0200 - - Unify method to find SUID files - -commit 05c1711b16c96a221c13a011a6666fe6b385ec1e -Author: Patrick Schleizer -Date: Tue Jun 11 12:56:56 2024 +0000 - - bumped changelog version - -commit e48115588caae8e51bb980ac84b1f0f415ca0d17 -Merge: b316352e cad8d857 -Author: Patrick Schleizer -Date: Tue Jun 11 07:25:47 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit cad8d857556e29544f742fdac8fe82758a4f885c -Merge: b316352e e1984478 -Author: Patrick Schleizer -Date: Tue Jun 11 07:25:07 2024 -0400 - - Merge pull request #227 from 3uryd1ce/fix-pam.d-path - - fix(etc): delete typo in /etc/apparmor.d tunables - -commit e1984478662fc51e6eacc989bc6bba0ca1fc07cd -Author: Ashlen -Date: Sat Jun 8 22:17:05 2024 -0600 - - fix(etc): delete typo in /etc/apparmor.d tunables - - /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this - file: /etc/apparmor.d/tunables/home.d/security-misc. - -commit b316352ede379d96cff4813735b93eb59506fe42 -Author: Patrick Schleizer -Date: Sat Jun 1 18:13:08 2024 +0000 - - bumped changelog version - -commit c815304026d30f7774f804498d20431ccdf8dc7f -Author: Patrick Schleizer -Date: Sat Jun 1 14:12:57 2024 -0400 - - readme - -commit 641e98e57714f7d38962bfd12d673500b8114356 -Author: Patrick Schleizer -Date: Sat Jun 1 17:35:04 2024 +0000 - - bumped changelog version - -commit e0cd9579d64e6d16667832de51f77a3091ef213e -Author: Patrick Schleizer -Date: Sat Jun 1 13:32:13 2024 -0400 - - remove duplicate `fsckobjects = true` from `/etc/gitconfig` - -commit bbe64a0b7992610dfef6002271718a2aee115cae -Author: Patrick Schleizer -Date: Tue May 28 12:04:53 2024 +0000 - - bumped changelog version - -commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 -Merge: bfca98ea a7358578 -Author: Patrick Schleizer -Date: Tue May 28 08:02:21 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a7358578520294b51e1001199670a0bbeeb43eb1 -Merge: bfca98ea 4efa293f -Author: Patrick Schleizer -Date: Tue May 28 07:55:31 2024 -0400 - - Merge pull request #226 from Kicksecure/gitconfig - - add `/etc/gitconfig` by default for better `git` security - -commit 4efa293f3b76814bc5399a959482d7db6e7431ec -Author: Patrick Schleizer -Date: Tue May 28 07:51:06 2024 -0400 - - add `/etc/gitconfig` by default for better `git` security - - ``` - [core] - symlinks = false - - [transfer] - fsckobjects = true - fsckobjects = true - [fetch] - fsckobjects = true - fsckobjects = true - [receive] - fsckobjects = true - fsckobjects = true - ``` - - + additional suggestions as comments - - fixes https://github.com/Kicksecure/security-misc/issues/225 - -commit bfca98ea89cea0f8604ecca0c8640860320e8e33 -Author: Patrick Schleizer -Date: Sat May 18 20:45:12 2024 +0000 - - bumped changelog version - -commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 -Merge: 5867b1b0 12e006ef -Author: Patrick Schleizer -Date: Sat May 18 16:42:41 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 12e006ef9cabbbcbe9cb45d9a6631e9a7a47cf3a -Merge: 5867b1b0 2f716050 -Author: Patrick Schleizer -Date: Sat May 18 16:30:07 2024 -0400 - - Merge pull request #222 from raja-grewal/text - - Update Readme and Copyright - -commit 2f716050d17016be6f550a7de8e0c1030e869e8f -Author: raja-grewal -Date: Sun May 12 01:06:34 2024 +0000 - - Update README.md - -commit 1bb843ec3863696170242c57668d0b3f44f41d7b -Author: Raja Grewal -Date: Sat May 11 13:18:36 2024 +1000 - - Update Copyright (C) to 2024 - -commit dddac1dc4015a28fc6b12244809685295272edd1 -Author: Raja Grewal -Date: Sat May 11 13:15:42 2024 +1000 - - Update README.md - -commit 5867b1b014f450acdf70c203ffe2f27831f1d9b0 -Author: Patrick Schleizer -Date: Fri May 10 11:20:36 2024 +0000 - - bumped changelog version - -commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 -Author: Patrick Schleizer -Date: Fri May 10 06:49:34 2024 -0400 - - comment - -commit 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 -Author: Patrick Schleizer -Date: Fri May 10 06:48:26 2024 -0400 - - chmod +x - -commit 8a28c1bc38b87bf55f25764c96a0e81e22137232 -Merge: a9886a31 0f1119f3 -Author: Patrick Schleizer -Date: Fri May 10 06:48:04 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0f1119f326cd769db8995e8eb54ff35503c70562 -Merge: 547757f4 677f75ae -Author: Patrick Schleizer -Date: Fri May 10 06:45:57 2024 -0400 - - Merge pull request #221 from raja-grewal/firewire - - Disable Firewire Module - -commit 547757f4514a54437d044656c5e2b6d413a4cc30 -Merge: 7b9fe44a 06f13bb7 -Author: Patrick Schleizer -Date: Fri May 10 06:45:34 2024 -0400 - - Merge pull request #220 from raja-grewal/block_gps - - Block Several GPS-related Modules - -commit 7b9fe44a20f3caf67f386969a5fc7c980e5f0282 -Merge: 62ea4dc1 132b41ae -Author: Patrick Schleizer -Date: Fri May 10 06:43:43 2024 -0400 - - Merge pull request #219 from raja-grewal/logging_martians - - Revert Logging of Martians - -commit 62ea4dc1768f69bb28a69c20e55c87ae692cc0c8 -Merge: a9886a31 4694268b -Author: Patrick Schleizer -Date: Fri May 10 06:43:15 2024 -0400 - - Merge pull request #218 from raja-grewal/secure_cpu - - More CPU Mitigations and Additional References - -commit 677f75ae8ed64af599f837ced15f34990df498e5 -Author: raja-grewal -Date: Thu May 9 02:34:02 2024 +0000 - - Disable `firewire-net` module - -commit 06f13bb766bd84182331aeb1632b917de4b36020 -Author: raja-grewal -Date: Thu May 9 02:28:53 2024 +0000 - - Disable GPS modules like GNSS - -commit f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a -Author: raja-grewal -Date: Thu May 9 02:25:46 2024 +0000 - - Create disabled-gps-by-security-misc - -commit 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 -Author: raja-grewal -Date: Thu May 9 02:16:50 2024 +0000 - - Revert logging of martians - -commit 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd -Author: raja-grewal -Date: Sun May 5 12:52:51 2024 +0000 - - Remove a word - -commit 8f7768ce96e32e3f1ec52118afffc2a44a160976 -Author: raja-grewal -Date: Sun May 5 12:50:39 2024 +0000 - - Add vendor links - -commit 0c031a29d33d13d9106746d61b87f9d98a80b5cd -Author: raja-grewal -Date: Wed May 1 13:55:09 2024 +1000 - - RFDS mitigation on Intel Atom CPUs (including E-cores) - -commit 1122b3402c0856a087415d7ba1a313048b7e3eea -Author: raja-grewal -Date: Wed May 1 13:50:42 2024 +1000 - - GDS mitigation for CPUs - -commit c002bd62e8584a19e73b3f42673a3f9bafba6a2c -Author: raja-grewal -Date: Wed May 1 13:49:34 2024 +1000 - - Clarify use of `mitigations=auto` - -commit d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 -Author: raja-grewal -Date: Wed May 1 13:49:00 2024 +1000 - - Add reference for RETBleed - -commit 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 -Author: raja-grewal -Date: Wed May 1 13:48:13 2024 +1000 - - Add reference for SSB - -commit de4f4be94762c9751ea62f744d7d6ede3ef30e88 -Author: raja-grewal -Date: Wed May 1 13:47:40 2024 +1000 - - Merge spectre mitigations - -commit 965c8641fd28e0ee592b50605edb7494fe9c3a28 -Author: raja-grewal -Date: Wed May 1 13:47:02 2024 +1000 - - Update BHI mitigation reference - -commit a9886a3119f9b662b15fc26d28a7fedf316b72c4 -Author: Patrick Schleizer -Date: Fri Apr 12 06:56:39 2024 +0000 - - bumped changelog version - -commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 -Merge: 7fba04d1 ab8b6da4 -Author: Patrick Schleizer -Date: Fri Apr 12 02:54:17 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ab8b6da484a90e9a62f8ba515c757aa3758baf48 -Merge: 7fba04d1 49357683 -Author: Patrick Schleizer -Date: Fri Apr 12 02:53:08 2024 -0400 - - Merge pull request #216 from raja-grewal/spectre_bhi - - BHI mitigation on Intel CPUs - -commit 493576836c90653f9c3514fcd5b3bf816e56d689 -Author: raja-grewal -Date: Fri Apr 12 00:17:06 2024 +1000 - - BHI mitigation on Intel CPUs - -commit 7fba04d1485187fe648f3d3ab44cd834b0eb9791 -Author: Patrick Schleizer -Date: Mon Apr 1 06:56:45 2024 +0000 - - bumped changelog version - -commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 -Author: Patrick Schleizer -Date: Mon Apr 1 02:55:59 2024 -0400 - - no longer disable MSR by default - - fixes https://github.com/Kicksecure/security-misc/issues/215 - -commit d9ac01ba5c26f9730feb17fe573d447e625e59f8 -Author: Patrick Schleizer -Date: Mon Mar 18 15:10:10 2024 +0000 - - bumped changelog version - -commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f -Author: Patrick Schleizer -Date: Mon Mar 18 11:01:56 2024 -0400 - - lower debugging - -commit 357ea5deab85debb9dff5d9e4e80a972954249c8 -Author: Patrick Schleizer -Date: Mon Mar 11 15:07:50 2024 +0000 - - bumped changelog version - -commit 0a018bdebca167d671d8bda81a2b0d929d396945 -Merge: 57fc487e 0b813163 -Author: Patrick Schleizer -Date: Mon Mar 11 10:13:57 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0b8131630041dbd80f1aa61dcedde446208c06f7 -Merge: 57fc487e 03ed546c -Author: Patrick Schleizer -Date: Mon Mar 11 10:12:46 2024 -0400 - - Merge pull request #211 from wryMitts/patch-1 - - Create proc group on install - -commit 03ed546cd8992b29855ca1c2748ed988dd3c765d -Author: wryMitts <158655396+wryMitts@users.noreply.github.com> -Date: Sun Mar 10 16:55:10 2024 -0400 - - Create proc group on install - - Fixes https://github.com/Kicksecure/security-misc/issues/210 - -commit 57fc487e5e5ffad765f1418236744319cc666871 -Author: Patrick Schleizer -Date: Sun Mar 10 13:19:26 2024 +0000 - - bumped changelog version - -commit a5206bde336c159be065345e7dd5cb86b2b6a27f -Author: Patrick Schleizer -Date: Sun Mar 10 08:44:53 2024 -0400 - - `proc-hidepid.service` add `gid=proc` - - This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. - - https://github.com/Kicksecure/security-misc/issues/208 - -commit 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 -Author: Patrick Schleizer -Date: Mon Mar 4 11:48:30 2024 +0000 - - bumped changelog version - -commit 6b76373395622bac0e701c6d15c6656658febced -Author: Patrick Schleizer -Date: Mon Mar 4 06:44:26 2024 -0500 - - fix panic-on-oops started every 10s in Qubes-Whonix - - by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 - -commit af6c6971a741c69a584ba3f92dbfed12e40784dc -Author: Patrick Schleizer -Date: Mon Mar 4 06:33:51 2024 -0500 - - comment - -commit e013070e0bfc43d006e09ae1c5ae3533f7bebc5f -Author: Patrick Schleizer -Date: Mon Mar 4 06:33:21 2024 -0500 - - newline - -commit a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 -Author: Patrick Schleizer -Date: Mon Feb 26 13:32:44 2024 +0000 - - bumped changelog version - -commit 808e72f24bf30b3476ab6b87f96eb636632c195c -Author: Patrick Schleizer -Date: Mon Feb 26 08:11:26 2024 -0500 - - use long options - - https://github.com/Kicksecure/security-misc/issues/172 - -commit 2d1d1b246f3fe061d4f817da5cecf46010839e1d -Author: Patrick Schleizer -Date: Mon Feb 26 08:07:29 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit d8f5376c4f36f5deb734e6dead42a62566d13480 -Author: Patrick Schleizer -Date: Mon Feb 26 07:58:06 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit cf84762a3a84d2be3b9510dddb32bdc433170dfa -Author: Patrick Schleizer -Date: Mon Feb 26 07:52:41 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit f2958bbfa5e67ee10380a25d996826233469080a -Author: Patrick Schleizer -Date: Mon Feb 26 07:49:30 2024 -0500 - - comment - -commit bc8f9edc3197e33e75ea1d691834d9abbdcdefd0 -Merge: 02d6f677 b23d1673 -Author: Patrick Schleizer -Date: Mon Feb 26 07:48:19 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b23d167342ef242a1e9d4e91b6a4b945e80c3e7e -Merge: 02d6f677 ef44ecea -Author: Patrick Schleizer -Date: Mon Feb 26 07:46:02 2024 -0500 - - Merge pull request #204 from DanWin/sysfs-mount - - Make /sys hardening optional and allow access to /sys/fs to make polkit work - -commit 02d6f67741ef93d9ab39e02ac56b27c551a19dca -Author: Patrick Schleizer -Date: Thu Feb 22 20:08:17 2024 +0000 - - bumped changelog version - -commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 -Author: Patrick Schleizer -Date: Thu Feb 22 15:07:53 2024 -0500 - - comments - -commit a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf -Author: Patrick Schleizer -Date: Thu Feb 22 19:58:01 2024 +0000 - - bumped changelog version - -commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 -Author: Patrick Schleizer -Date: Thu Feb 22 14:57:50 2024 -0500 - - output - -commit ef44ecea44ee516b1ba92175eb78b2e8143c4502 -Author: Daniel Winzen -Date: Thu Feb 22 16:51:23 2024 +0100 - - Add option to disabe /sys hardening - -commit 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 -Author: Daniel Winzen -Date: Wed Feb 21 20:37:34 2024 +0100 - - Allow access to /sys/fs for polkit - -commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 -Author: Patrick Schleizer -Date: Thu Feb 22 16:07:16 2024 +0000 - - bumped changelog version - -commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 -Author: Patrick Schleizer -Date: Thu Feb 22 11:07:01 2024 -0500 - - ConditionKernelCommandLine=!remountsecure=0 - -commit eb3e0b9292f71a5dba312500508f893779fb1b9c -Author: Patrick Schleizer -Date: Thu Feb 22 14:52:55 2024 +0000 - - bumped changelog version - -commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 -Author: Patrick Schleizer -Date: Thu Feb 22 09:52:36 2024 -0500 - - fix systemd unit ExecStart - -commit d148a769b7106831c0b27a7ad63d91ab42257678 -Author: Patrick Schleizer -Date: Thu Feb 22 14:50:05 2024 +0000 - - bumped changelog version - -commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 -Author: Patrick Schleizer -Date: Thu Feb 22 09:49:48 2024 -0500 - - output - -commit f7831db197b2fff33b66eeb44efd749e482315e0 -Author: Patrick Schleizer -Date: Thu Feb 22 09:17:41 2024 -0500 - - do not exit non-zero if folder does not exist - -commit 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 -Author: Patrick Schleizer -Date: Thu Feb 22 09:14:52 2024 -0500 - - output - -commit 44a15cd97da3066e39d2d7df1f456e703036a6e9 -Author: Patrick Schleizer -Date: Thu Feb 22 09:13:56 2024 -0500 - - mount --make-private - - https://github.com/Kicksecure/security-misc/issues/172 - -commit c0f98b05b609c7c8ac6f86e123af9e0642d82697 -Author: Patrick Schleizer -Date: Thu Feb 22 06:03:59 2024 -0500 - - comment - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd -Author: Patrick Schleizer -Date: Thu Feb 22 06:02:28 2024 -0500 - - allow /opt exec as usually optional binaries are placed there such as firefox - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e -Author: Patrick Schleizer -Date: Thu Feb 22 06:01:00 2024 -0500 - - fix home_noexec_maybe -> most_noexec_maybe - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 38783faf60b85c4e855bf78c87e1c07765776b50 -Author: Patrick Schleizer -Date: Thu Feb 22 05:58:53 2024 -0500 - - add more bind mounts of mount options hardening - - as suggested in https://github.com/Kicksecure/security-misc/pull/202 - -commit ad9d913902d7e696f1114da74d84f9cdcb22bc25 -Author: Patrick Schleizer -Date: Sat Feb 3 18:28:27 2024 +0000 - - bumped changelog version - -commit 02090da08cfd411314ffeeb6df95f73c701f06c6 -Merge: 8037ce52 ba13657d -Author: Patrick Schleizer -Date: Sat Feb 3 12:51:07 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ba13657d894f2f30d8deb7c08b85e5fbc1dcea21 -Merge: 8037ce52 b16c99ab -Author: Patrick Schleizer -Date: Sat Feb 3 12:50:28 2024 -0500 - - Merge pull request #197 from raja-grewal/mitigations - - Additional Explicit CPU Mitigations - -commit b16c99ab62a902b1f61b9d4fe63273cd614e757c -Author: raja-grewal -Date: Mon Jan 29 13:39:40 2024 +0000 - - Remove hardcoded `spec_rstack_overflow` setting - -commit 139b10a9aad85018f87bdc4bb227e938f7955235 -Author: raja-grewal -Date: Mon Jan 29 12:59:13 2024 +0000 - - Control RAS overflow mitigation on AMD Zen CPUs - -commit 6c54e35027e86ec045102cd1d95f84aa30bc55c9 -Author: raja-grewal -Date: Mon Jan 29 12:58:51 2024 +0000 - - Enable mitigations for RETBleed vulnerability and disable SMT - -commit 4509a5fc95204080f2855849d22c7e05393455d9 -Author: raja-grewal -Date: Mon Jan 29 12:58:14 2024 +0000 - - Enable known mitigations for CPU vulnerabilities and disable SMT - -commit 4231155efa0970d2456b67cc89c8828b0766cf7f -Author: raja-grewal -Date: Mon Jan 29 12:57:48 2024 +0000 - - Add reference for kernel parameters - -commit 8037ce52f96dcc6f8007c1567daf38ff013352d6 -Author: Patrick Schleizer -Date: Thu Jan 25 13:59:29 2024 +0000 - - bumped changelog version - -commit 185bfe749787a8c6e93103ae8c6b0751a169e276 -Author: Patrick Schleizer -Date: Thu Jan 25 06:54:36 2024 -0500 - - use `interest-noawait` instead of `interest-await` - - fixes https://github.com/Kicksecure/security-misc/issues/196 - -commit 64e41b113cae893d1f27f441f99340389ba8b9b3 -Author: Patrick Schleizer -Date: Thu Jan 18 14:10:51 2024 +0000 - - bumped changelog version - -commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c -Author: Patrick Schleizer -Date: Thu Jan 18 08:54:39 2024 -0500 - - readme - -commit f0e2a82b558f64611f037424c6f8f12de32737f6 -Author: Patrick Schleizer -Date: Wed Jan 17 19:18:25 2024 +0000 - - bumped changelog version - -commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 -Author: Patrick Schleizer -Date: Wed Jan 17 14:03:09 2024 -0500 - - use wildcards - - instead of outdated, incomplete list - - https://github.com/Kicksecure/security-misc/issues/160 - -commit 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 -Author: Patrick Schleizer -Date: Wed Jan 17 13:59:36 2024 -0500 - - minor RPM updates - - https://github.com/Kicksecure/security-misc/issues/160 - -commit 3048e0ac76e4eba1c53b43ba2424157505578cdd -Author: Patrick Schleizer -Date: Wed Jan 17 13:54:07 2024 -0500 - - usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 5a6cd4c2abd243c91575e9477a921aa290c68ba5 -Author: Patrick Schleizer -Date: Wed Jan 17 13:51:30 2024 -0500 - - remove now empty /bin from copying since it is empty after usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d -Author: Patrick Schleizer -Date: Wed Jan 17 13:49:05 2024 -0500 - - `sort -d` - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 011e55e3e52485ccd728b4bb249efbc816f38806 -Author: Patrick Schleizer -Date: Wed Jan 17 13:45:17 2024 -0500 - - remove duplicates after usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 0efee2f50fd38feade7700c2f033cc3d4c200d34 -Author: Patrick Schleizer -Date: Wed Jan 17 13:39:56 2024 -0500 - - usrmerge - - fixes https://github.com/Kicksecure/security-misc/issues/190 - -commit 18a06935e0cca3dc090643aad406d861e4583085 -Author: Patrick Schleizer -Date: Wed Jan 17 13:23:20 2024 -0500 - - run permission hardener when new packages are install files to /usr or /opt - - (basically anywhere) - - fixes https://github.com/Kicksecure/security-misc/issues/189 - -commit 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 -Author: Patrick Schleizer -Date: Tue Jan 16 14:26:34 2024 +0000 - - bumped changelog version - -commit 0d78ecaee37536379ad2f230f45904f57425cb19 -Author: Patrick Schleizer -Date: Tue Jan 16 09:26:21 2024 -0500 - - README - -commit 3ba8fe586e1abe133bd41076278f8663aba7e641 -Author: Patrick Schleizer -Date: Tue Jan 16 09:23:54 2024 -0500 - - update permission-hardener.service - - Which is now only an additional opt-in systemd unit, - because permission-hardener is run by default at security-misc - package installation time. - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 186f6015da7b3314c95c2833032c6fe953a71afd -Author: Patrick Schleizer -Date: Tue Jan 16 14:14:18 2024 +0000 - - bumped changelog version - -commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f -Author: Patrick Schleizer -Date: Tue Jan 16 09:10:59 2024 -0500 - - delete legacy folder /etc/permission-hardening.d if empty - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 9cafd78fe21baa3c2a36853f57e0638b2facfe5c -Author: Patrick Schleizer -Date: Tue Jan 16 09:05:09 2024 -0500 - - rm_conffile /etc/permission-hardening.d - - https://github.com/Kicksecure/security-misc/pull/181 - -commit fa53848b5cda135fbb8a3855e8508692084fc7e9 -Author: Patrick Schleizer -Date: Tue Jan 16 13:58:55 2024 +0000 - - bumped changelog version - -commit 4f7973bc5628cdc24f5224bd98858249307635d3 -Author: Patrick Schleizer -Date: Tue Jan 16 08:56:26 2024 -0500 - - comment - -commit ed7c09fc46b26440439adf748f597da277a3f1e4 -Author: Patrick Schleizer -Date: Tue Jan 16 08:45:13 2024 -0500 - - permission-hardening -> permission-hardener migration - - mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener - - https://github.com/Kicksecure/security-misc/pull/181 - -commit a90cd43631216f28a18a1b3f066b9f6ef3301ac4 -Author: Patrick Schleizer -Date: Tue Jan 16 08:32:52 2024 -0500 - - fix postinst for new permission-hardener - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 862bf6b5ab29917138325023eb3507f5fbd5653c -Merge: dc8d9eec bc02c720 -Author: Patrick Schleizer -Date: Tue Jan 16 08:19:28 2024 -0500 - - Merge remote-tracking branch 'ben-grande/clean' - -commit dc8d9eece32dec06e63c580c886a240019b3f33e -Author: Patrick Schleizer -Date: Tue Jan 9 05:52:49 2024 +0000 - - bumped changelog version - -commit 1199871d7bbc7316a7e5822d77eee0666b55b203 -Author: Patrick Schleizer -Date: Sun Jan 7 06:37:34 2024 -0500 - - undo IPv6 privacy due to potential server issues - - https://github.com/Kicksecure/security-misc/issues/184 - -commit 128bb01b35d20e97351dfb53768f35482f9756a2 -Author: Patrick Schleizer -Date: Sun Jan 7 06:36:25 2024 -0500 - - undo IPv6 privacy due to potential server issues - - https://github.com/Kicksecure/security-misc/issues/184 - -commit df0f9d3267644c4aea87add2dcade86044c496f0 -Author: Patrick Schleizer -Date: Sat Jan 6 09:19:57 2024 -0500 - - README - -commit 86f91e3030ef0b08000fc28a3a172e6a47918e4e -Author: Patrick Schleizer -Date: Sat Jan 6 09:10:45 2024 -0500 - - revert umask 027 by default - - because broken because this also happens for root while it should not - - https://github.com/Kicksecure/security-misc/issues/185 - -commit 3f1304403fbf04f15dac01963c66f82cd84452d4 -Author: Patrick Schleizer -Date: Sat Jan 6 08:15:31 2024 -0500 - - disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP - - https://github.com/Kicksecure/security-misc/issues/184 - -commit e8f8dcd0fb1c23a62974849f55516da9dce5948e -Author: Patrick Schleizer -Date: Thu Jan 4 02:03:26 2024 +0000 - - bumped changelog version - -commit 70a86fa994c0a894643e876fc86226ad0443a741 -Merge: db0503e7 71060f1f -Author: Patrick Schleizer -Date: Wed Jan 3 05:12:48 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 71060f1f53ca7a275f10c4b6ab3e6c25585d5440 -Merge: db0503e7 74afcc9c -Author: Patrick Schleizer -Date: Wed Jan 3 05:00:41 2024 -0500 - - Merge pull request #182 from raja-grewal/io_uring - - Clarify validity of disabling io_uring - -commit 74afcc9c63ad064f20778ad2870690925c3cee81 -Author: Raja Grewal -Date: Wed Jan 3 17:52:23 2024 +1100 - - Clarify validity of disabling io_uring - -commit bc02c72018d6458d4c1852dd441287b277421514 -Author: Ben Grande -Date: Tue Jan 2 17:08:45 2024 +0100 - - Fix unbound variable - - - Run messages preceded by INFO; - - Comment unknown unused variables; - - Remove unnecessary variables; and - - Deal with unbound variable due to subshell by writing to a file; - -commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 -Author: Patrick Schleizer -Date: Tue Jan 2 14:55:13 2024 +0000 - - bumped changelog version - -commit abf72c2ee4286ec069f75e66acf05a42f3645c89 -Author: Ben Grande -Date: Tue Jan 2 13:34:29 2024 +0100 - - Rename file permission hardening script - - Hardener as the script is the agent that is hardening the file - permissions. - -commit f138cf0f78c03e3952801d01d25d5f8065ff1457 -Author: Ben Grande -Date: Tue Jan 2 12:17:16 2024 +0100 - - Refactor permission-hardener - - - Organize comments from default configuration; - - Apply and undo changes from a single file controlled by parameters; - - Arrays should be evaluated as arrays and not normal variables; - - Quote variables; - - Brackets around variables; - - Standardize test cases to "test" command; - - Test against empty or non-empty variables with "-z" and "-n"; - - Show a usage message when necessary; - - Require root to run the script with informative message; - - Permit the user to see the help message without running as root; - - Do not create root directories without passing root check; - - Use long options for "set" command; - -commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 -Merge: 94c0e26a 8daf97ab -Author: Patrick Schleizer -Date: Tue Jan 2 05:30:49 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8daf97ab0181a9cbb9e9dec57f1f00270dbb3a50 -Merge: 94c0e26a f055fe5d -Author: Patrick Schleizer -Date: Tue Jan 2 05:29:35 2024 -0500 - - Merge pull request #178 from raja-grewal/io_uring - - Disable asynchronous I/O - -commit 94c0e26a082f61f71e89b1fb7386a58166ffa411 -Author: Patrick Schleizer -Date: Fri Dec 29 20:15:50 2023 +0000 - - bumped changelog version - -commit 5b36599c0ce35857239c82459828db1ec4215411 -Author: Patrick Schleizer -Date: Fri Dec 29 14:57:38 2023 -0500 - - /dev/, /dev/shm, /tmp - - https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 - -commit e15596e7af6fc645dd652c043397baaa91954915 -Author: Patrick Schleizer -Date: Mon Dec 25 16:28:10 2023 +0000 - - bumped changelog version - -commit f64a869bfdd4c746afd206367885851946deb692 -Author: Patrick Schleizer -Date: Mon Dec 25 11:03:22 2023 -0500 - - readme - -commit c86c83cef760906a0d1c56ee8a8c744b2e07f212 -Author: Patrick Schleizer -Date: Mon Dec 25 10:31:58 2023 -0500 - - formatting - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 971ff687b1423499c54495a03e5e6fafcbfefb2a -Author: Patrick Schleizer -Date: Mon Dec 25 10:30:35 2023 -0500 - - do not mount /dev/cdrom by default - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 -Author: Patrick Schleizer -Date: Mon Dec 25 10:28:47 2023 -0500 - - remove superfluous, broken `remount` mount option - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 -Author: Patrick Schleizer -Date: Mon Dec 25 09:51:09 2023 -0500 - - no `nofail` mount option to avoid breaking the boot of a system - - unit testing belongs elsewhere - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 4aa645f29ff741b6e5cdf629deade1923fdcc234 -Author: Patrick Schleizer -Date: Mon Dec 25 09:46:33 2023 -0500 - - comment - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 2b7aeedb4a543d0a43a35918999338097d13bb16 -Author: Patrick Schleizer -Date: Mon Dec 25 09:44:51 2023 -0500 - - mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and - nodev,nosuid,noexec - - as per: - https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 0d9e9780daca563a726470a3a5d6fa8c20487240 -Author: Patrick Schleizer -Date: Mon Dec 25 09:37:14 2023 -0500 - - formatting - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 00f9ab43947795c1144d797547968c7c149d6f21 -Author: Patrick Schleizer -Date: Mon Dec 25 09:36:05 2023 -0500 - - /dev devtmpfs - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 55709b3aa0acd6cad0c9fedb8782c49fbea79689 -Author: Patrick Schleizer -Date: Mon Dec 25 09:30:57 2023 -0500 - - /tmp tmpfs - - https://github.com/Kicksecure/security-misc/issues/157 - -commit b0dd967611c27f5b8e2472bb74a664aead7a229e -Author: Patrick Schleizer -Date: Mon Dec 25 09:27:45 2023 -0500 - - usrmerge - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 269fada14a616c53d7421e88e662f6893eb1fd88 -Author: Patrick Schleizer -Date: Mon Dec 25 09:25:14 2023 -0500 - - combine bind lines - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 0810c1ce3c9e19c745b8f0d2cd9410353b172779 -Author: Patrick Schleizer -Date: Mon Dec 25 09:10:31 2023 -0500 - - fix bluetooth in readme - - fixes https://github.com/Kicksecure/security-misc/issues/180 - -commit 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 -Author: Patrick Schleizer -Date: Mon Dec 25 09:04:10 2023 -0500 - - readme - -commit 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 -Author: Patrick Schleizer -Date: Mon Dec 25 08:45:20 2023 -0500 - - formatting - -commit c90ada3c398205227d906e2b2108d36d92edcf3c -Author: Patrick Schleizer -Date: Mon Dec 25 08:37:23 2023 -0500 - - pandoc -f markdown -t markdown --wrap=auto --columns=80 README.md -o README.md - -commit 34bf297bd17af2adf59804bd133a00b7dc1942b7 -Author: Patrick Schleizer -Date: Mon Dec 25 08:32:34 2023 -0500 - - formatting - -commit d5fc9f620169b6975c8d3ef685f47e62cb6b9262 -Author: Patrick Schleizer -Date: Mon Dec 25 08:26:03 2023 -0500 - - improve bluetooth in readme - - as suggested by @monsieuremre - - https://github.com/Kicksecure/security-misc/issues/180 - -commit 7fa597deca7ff2b2932a5f5fad56be57bd78b6cf -Author: Patrick Schleizer -Date: Fri Dec 22 16:31:58 2023 +0000 - - bumped changelog version - -commit f70a034da2b4b615855504e7080baf1a7e7b461c -Author: Patrick Schleizer -Date: Fri Dec 22 08:31:58 2023 -0500 - - exclude hardened malloc from SUID disabler - - fixes https://github.com/Kicksecure/security-misc/issues/179 - -commit f055fe5da2219b68f46c3c577d79fcfd7e79cfc6 -Author: Raja Grewal -Date: Fri Dec 15 08:33:36 2023 +0000 - - Disable asynchronous I/O - - io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. - -commit 99f2edd4f685cdc9a47b32107125408e12a294c2 -Author: Patrick Schleizer -Date: Tue Dec 12 16:51:21 2023 +0000 - - bumped changelog version - -commit 039de1dc9bd6f3cc6595d66f54d0d88d9b537b17 -Author: Patrick Schleizer -Date: Tue Dec 12 11:50:11 2023 -0500 - - add hardened fstab `/usr/share/doc/security-misc/fstab-vm` - - to the documentation folder as an example - - not directly used by security-misc - - will later be used by Kicksecure VM build process - - https://github.com/Kicksecure/security-misc/issues/157 - -commit dcaafa6c8bf380dd990942e9c10e280943b442a6 -Author: Patrick Schleizer -Date: Mon Dec 4 17:06:45 2023 +0000 - - bumped changelog version - -commit 5a73817a9575fe5bcaf3fd354e5f175db7d45ba4 -Author: Patrick Schleizer -Date: Mon Dec 4 11:38:49 2023 -0500 - - move to `/usr/lib/issue.d/20_security-misc.issue` - - https://github.com/Kicksecure/security-misc/pull/167 - -commit dfaea492c76a277b9cbe84982a135cb4f03a557c -Author: Patrick Schleizer -Date: Mon Dec 4 11:37:02 2023 -0500 - - remove `etc/issue.net.d/20_security-misc` - - since not mentioned on debian.org - -commit 69c895af09f05000ace5f273f3e5032aabf8c64e -Merge: c9ea7a4d 36850f89 -Author: Patrick Schleizer -Date: Mon Dec 4 11:27:53 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 36850f89fb07678ca24eb580a18247e593eac608 -Merge: c9ea7a4d 0d7af970 -Author: Patrick Schleizer -Date: Mon Dec 4 11:27:16 2023 -0500 - - Merge pull request #167 from monsieuremre/patch-4 - - Non-Identifiable and Generic Issue Banners that include the Recommended Keywords - -commit c9ea7a4dca6e985c3a1044a3b4ddda83909fbc51 -Author: Patrick Schleizer -Date: Mon Dec 4 11:02:55 2023 -0500 - - use `amd_iommu=force_isolation` instead of `amd_iommu=force_enable` - - because we set `iommu=force` already anyhow - - fixes https://github.com/Kicksecure/security-misc/issues/175 - -commit e83c1d7ed662bb0533c670dd5b7a6745a75e9ca4 -Merge: c4e21ca5 befd21e0 -Author: Patrick Schleizer -Date: Mon Dec 4 11:01:02 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit befd21e0c0c38eaf91c7096e9f60120f533a5842 -Merge: c4e21ca5 f2ad8383 -Author: Patrick Schleizer -Date: Mon Dec 4 11:00:29 2023 -0500 - - Merge pull request #176 from monsieuremre/patch-1 - - Iommu Kernel Parameters - -commit c4e21ca5f49fbc2d67853eebca647539acbca815 -Author: Patrick Schleizer -Date: Mon Dec 4 10:58:16 2023 -0500 - - added development philosophy - - https://github.com/Kicksecure/security-misc/issues/154 - -commit feab1432f9d0966118ca233c9f88270b98c3f120 -Author: Patrick Schleizer -Date: Mon Dec 4 10:48:27 2023 -0500 - - clarify scope - - https://github.com/Kicksecure/security-misc/issues/154 - -commit dc04040cb3644c9e3be9b44a34da4a5f7b61f2cc -Author: Patrick Schleizer -Date: Mon Dec 4 10:36:48 2023 -0500 - - typo - -commit 2634dbff2bd9d7482e7b02be2b5b6fa1c58ef6c7 -Author: Patrick Schleizer -Date: Mon Dec 4 10:36:21 2023 -0500 - - shuffle - -commit f2ad8383cfea4bba42e8b246b05b85101d707641 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:51:38 2023 +0000 - - fix - -commit dd15823a97e953750d7a8288c7d3b8d5f554d6f9 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:50:07 2023 +0000 - - undo superfluousness - -commit 83e13bb62d028cfeea7a4d3f3def3bff8d2b5eaa -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:42:34 2023 +0000 - - Update 40_enable_iommu.cfg - -commit 0d7af9707f802fb600d9eb39bbe0b3bd4a65e3b0 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:31:12 2023 +0000 - - Update 20_security-misc - -commit 04d27a10b0cd1c22cb166c9fccb93a09d5f388f0 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:30:55 2023 +0000 - - Update 20_security-misc - -commit 7963f811e1bb6f5e0e2ba41e96b14e4a3a70f847 -Merge: c8b9f5a9 82bd9138 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:30:22 2023 +0000 - - Merge branch 'Kicksecure:master' into patch-4 - -commit 82bd9138de750a3590be9c91c898cbd04c550e7e -Author: Patrick Schleizer -Date: Mon Nov 20 13:13:10 2023 +0000 - - bumped changelog version - -commit c2b3ff5243c69c4e1ba28e9966bf0ffd3ce550ce -Author: Patrick Schleizer -Date: Mon Nov 20 04:40:28 2023 -0500 - - moved libpam-tmpdir dependency to kicksecure-meta-packages - - https://github.com/Kicksecure/security-misc/pull/147 - -commit c8b9f5a917e6c415575d6763a65930f1a91a7c78 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 18 10:03:19 2023 +0000 - - net - -commit 3b614f3753608bd62ff6bc6e56e15f280994c646 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 18 10:02:16 2023 +0000 - - 20_security-misc - -commit 7c8b9b294678056d684fd3dc22f012d75da40426 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Nov 17 17:14:01 2023 +0000 - - 30_security-misc.conf - -commit 7d31e17fc5a8fe3055568c1a0f541dea064f30a0 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Nov 17 17:02:41 2023 +0000 - - usbguard - -commit 4e4df5dd7c6b5cf1deb179a2c3f8fe7a8844884d -Author: Patrick Schleizer -Date: Sat Nov 11 22:29:57 2023 +0000 - - bumped changelog version - -commit a51674410cb8a7ac2119ea7c85f986223ce8fc25 -Author: Patrick Schleizer -Date: Sat Nov 11 17:29:37 2023 -0500 - - fix - -commit 8d58077d68e6363313cdc62f7fac14840f5d9a8e -Author: Patrick Schleizer -Date: Sat Nov 11 20:22:34 2023 +0000 - - bumped changelog version - -commit 5b85a0b34d30d191654158506e0209b34a8f9fe8 -Author: Patrick Schleizer -Date: Sat Nov 11 14:46:35 2023 -0500 - - license - -commit 7757080519858492a7fcbf735ec854029b29d67a -Author: Patrick Schleizer -Date: Sat Nov 11 13:41:28 2023 -0500 - - change license to AGPL-3+ - - https://forums.whonix.org/t/license-change-to-agplv3/17455 - -commit 20f804f19c046e3ef2b38c367de9d5c80cccccd9 -Author: Patrick Schleizer -Date: Mon Nov 6 17:28:21 2023 -0500 - - bumped changelog version - -commit a1e00be0e09a7271a3fae9e9abdbe9a2279b7197 -Author: Patrick Schleizer -Date: Mon Nov 6 16:58:23 2023 -0500 - - update link - -commit 5bb357cac02c7217f4e897a0625f531602ac69cf -Author: Patrick Schleizer -Date: Mon Nov 6 16:55:00 2023 -0500 - - spice-client-glib-usb-acl-helper matchwhitelist - -commit 7309445ee518c093ba3f9aec56197e391e0a194a -Author: Patrick Schleizer -Date: Mon Nov 6 16:52:27 2023 -0500 - - comment - -commit f09d97fc9efc98d8b197a497e2ce4c5965be531a -Author: Patrick Schleizer -Date: Mon Nov 6 16:50:19 2023 -0500 - - whitelist VirtualBox - -commit 64c8c7a8d5a42d2e3da9ce243bc708d1bcbe6039 -Author: Patrick Schleizer -Date: Mon Nov 6 16:47:31 2023 -0500 - - whitelist SSH - -commit 9682b51d548396717867a0c336f1fb1677ccfe2b -Author: Patrick Schleizer -Date: Mon Nov 6 16:44:36 2023 -0500 - - whitelist virtualbox - -commit a40b9bc095bb0f363911dacee050234b3a555744 -Author: Patrick Schleizer -Date: Mon Nov 6 16:40:22 2023 -0500 - - comments - -commit 2c1a3da433b8dc96039caab17e81666896ade58c -Author: Patrick Schleizer -Date: Mon Nov 6 16:38:50 2023 -0500 - - VirtualBoxVM matchwhitelist - -commit 4e96ffaabb7c2e73bf686e56bcaa220f4d2e9e93 -Author: Patrick Schleizer -Date: Mon Nov 6 16:37:19 2023 -0500 - - chrome-sandbox matchwhitelist - -commit df5f3e80566da210ee5d807cc1b5dd53678fdae0 -Author: Patrick Schleizer -Date: Mon Nov 6 16:36:22 2023 -0500 - - output - -commit 72f6e6bb9c2426535bfc48175d88707331ec5346 -Author: Patrick Schleizer -Date: Mon Nov 6 16:28:23 2023 -0500 - - output - -commit 3bc831a1f71a80a178601bdd5c7f06b22ada75ab -Author: Patrick Schleizer -Date: Mon Nov 6 16:27:29 2023 -0500 - - lintian - -commit fd1f38b2ebe31aec04b22d968b38305504f7f935 -Author: Patrick Schleizer -Date: Mon Nov 6 16:22:42 2023 -0500 - - remount-secure systemd unit - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 79f9c1fb3adac319342a22c099401cb21af4429f -Author: Patrick Schleizer -Date: Mon Nov 6 15:48:09 2023 -0500 - - add sysinit-post.target - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 2de5ab41201c561a2684f15196ce37b0f34038a9 -Author: Patrick Schleizer -Date: Mon Nov 6 13:47:30 2023 -0500 - - clarify scope of application specific hardening - - fixes https://github.com/Kicksecure/security-misc/issues/154 - -commit 5a96616b39e7188903bd0d35c9812a02fddc02f9 -Author: Patrick Schleizer -Date: Sun Nov 5 21:13:14 2023 -0500 - - bumped changelog version - -commit ad079ac5cc4d7ce2270e9abf21fa520fc9b2761f -Author: Patrick Schleizer -Date: Sun Nov 5 20:55:55 2023 -0500 - - readme - - https://github.com/Kicksecure/security-misc/pull/152 - -commit be023c77223c4ec0e26ffe2a88acd94653efee9a -Author: Patrick Schleizer -Date: Sun Nov 5 20:54:43 2023 -0500 - - readme - - https://github.com/Kicksecure/security-misc/issues/159 - -commit e1f413c1ee5107468cb2a9c4aa8bd061d0dc911b -Author: Patrick Schleizer -Date: Sun Nov 5 20:53:26 2023 -0500 - - disable harden-module-loading.service for now - - due to issues - - https://github.com/Kicksecure/security-misc/issues/159 - -commit f2ea1abc9b3efc035f4d1381bece458de9b89ff3 -Author: Patrick Schleizer -Date: Sun Nov 5 20:53:03 2023 -0500 - - comment - -commit 95d1cfb4a03afc987cf89bb0f4cd6d2f1ad431b1 -Author: Patrick Schleizer -Date: Sun Nov 5 20:49:36 2023 -0500 - - Revert "remove no longer required remount-service systemd unit" - - This reverts commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073. - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 24b4d59ce41bc95e0b0aadf401223dc40b0f9c8f -Author: Patrick Schleizer -Date: Sun Nov 5 20:14:33 2023 -0500 - - bumped changelog version - -commit 4482f1841cfc6caa063e2274db890cfa01944811 -Author: Patrick Schleizer -Date: Sun Nov 5 20:13:14 2023 -0500 - - newline - -commit c5167c8f0d398946fdfae56fa78b32fade4cb451 -Author: Patrick Schleizer -Date: Sun Nov 5 20:12:03 2023 -0500 - - fix systemd unit - - https://github.com/Kicksecure/security-misc/issues/159 - -commit 2571bbf315693f65f564ef4ad1b2ff4941f2ebc3 -Author: Patrick Schleizer -Date: Sun Nov 5 18:42:25 2023 -0500 - - duplicate - -commit aa170878838b2218da8295be8b6898bc86056cec -Author: Patrick Schleizer -Date: Sun Nov 5 18:42:08 2023 -0500 - - update path - -commit d203e539aa975b042cd6ec9608a0cc16b3314372 -Author: Patrick Schleizer -Date: Sun Nov 5 18:17:59 2023 -0500 - - bumped changelog version - -commit 4ebab940c750154a396c4ffdbde61367e12c72f8 -Author: Patrick Schleizer -Date: Sun Nov 5 17:56:35 2023 -0500 - - description too long, fixed - -commit ad010ef5b4c90e4abbd1c88724f99450740fb2eb -Author: Patrick Schleizer -Date: Sun Nov 5 17:52:44 2023 -0500 - - debugging - -commit 826e76d037f88636fdde7d4ef1eb72f29ac5f4a5 -Author: Patrick Schleizer -Date: Sun Nov 5 17:43:33 2023 -0500 - - bumped changelog version - -commit 3130a39d8c280d913fb632a40562438b82a499bb -Author: Patrick Schleizer -Date: Sun Nov 5 17:43:07 2023 -0500 - - set -e - -commit 18a2d814cc0c477599b276bb319ed8bdd34499ea -Merge: 4fda9d2e 36f3c304 -Author: Patrick Schleizer -Date: Sun Nov 5 17:42:28 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 36f3c30440e73c8bf4946742095f0495994fed99 -Merge: 4fda9d2e 2e64d89b -Author: Patrick Schleizer -Date: Sun Nov 5 17:41:56 2023 -0500 - - Merge pull request #148 from monsieuremre/module-loading-hardening - - Harden the loading of new modules to the kernel after install - -commit 4fda9d2e8459c043ec27178ceb87483229b45d5f -Author: Patrick Schleizer -Date: Sun Nov 5 16:46:18 2023 -0500 - - bumped changelog version - -commit 4219347f0a739ed1ea93a596968295ddcd3a940f -Author: Patrick Schleizer -Date: Sun Nov 5 16:43:44 2023 -0500 - - fix permission-hardener config parsing issue - -commit e72f79236b7b704c60c6920b51c86832f4fda9e3 -Author: Patrick Schleizer -Date: Sun Nov 5 16:41:41 2023 -0500 - - refactoring - -commit dea0d9a78a99c441a1738f88cef2cd3c5f433454 -Author: Patrick Schleizer -Date: Sun Nov 5 16:40:49 2023 -0500 - - fix permission-hardener config parsing issue - -commit 017ae18ad7a757a18c5a7a92677f24053280e8b5 -Author: Patrick Schleizer -Date: Sun Nov 5 16:39:10 2023 -0500 - - fix permission-hardener config parsing issue - -commit 65e3c14643ca2b5167e0f5bc30a6bbc45cb4f645 -Author: Patrick Schleizer -Date: Sun Nov 5 16:35:11 2023 -0500 - - fix permission-hardener config parsing issue - -commit 40e536a9beb48f1938e67ae2010fc34f80e3bd1f -Author: Patrick Schleizer -Date: Sun Nov 5 16:04:03 2023 -0500 - - bumped changelog version - -commit 51decff2fd48c2437b08136e97d4211e5eaccd89 -Author: Patrick Schleizer -Date: Sun Nov 5 16:03:36 2023 -0500 - - exclude qfile-unpacker from permission hardener - -commit 52b6e92e002987952c908eeb05a293dd401ee9be -Author: Patrick Schleizer -Date: Sun Nov 5 15:58:21 2023 -0500 - - bumped changelog version - -commit 1900c1ab07e4d55577815b942b34457596a1d703 -Author: Patrick Schleizer -Date: Sun Nov 5 15:57:49 2023 -0500 - - pam exclude from permission-hardener - -commit 76e3a3c5f9fa5e95b90e4ea3f3ba7019615a3d1a -Author: Patrick Schleizer -Date: Sun Nov 5 15:29:38 2023 -0500 - - bumped changelog version - -commit d4494fd3c341796081dd8c114c8cc97e627c236c -Author: Patrick Schleizer -Date: Sun Nov 5 15:27:09 2023 -0500 - - disable remount-secure dracut modules - - pending new systemd based implementation - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 949c1633701ac168e908794d4dd74c5a9b09a437 -Author: Patrick Schleizer -Date: Sun Nov 5 15:14:43 2023 -0500 - - bumped changelog version - -commit 4a19fbae0be2ab99c1f21826eca2ec3cef605a0e -Author: Patrick Schleizer -Date: Sun Nov 5 15:13:01 2023 -0500 - - move permission-hardening to /usr/bin to make it more easily accessible - -commit c75f80b29f2fee3f2ead579390b8d3a8ff86b9d2 -Author: Patrick Schleizer -Date: Sun Nov 5 15:09:29 2023 -0500 - - lower verbosity of permission hardener - - fixes https://github.com/Kicksecure/security-misc/issues/158 - -commit 0544657123100b333211a91ef32054dc7e14c7db -Author: Patrick Schleizer -Date: Sun Nov 5 14:56:06 2023 -0500 - - bumped changelog version - -commit 42be6310237bdb663f38982b221327a337251e0a -Author: Patrick Schleizer -Date: Sun Nov 5 14:54:05 2023 -0500 - - readme - -commit 55ba5d48321ec4224bcbf03cf2bf51226cf34e50 -Author: Patrick Schleizer -Date: Sun Nov 5 14:51:31 2023 -0500 - - renamed: usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf -> usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf - renamed: usr/lib/NetworkManager/conf.d/99_randomize-mac.conf -> usr/lib/NetworkManager/conf.d/80_randomize-mac.conf - renamed: usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf -> usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf - -commit eab5d7d4ec58baaf7eedc777e250ad9f00e4b71b -Author: Patrick Schleizer -Date: Sun Nov 5 14:50:13 2023 -0500 - - cleanup - -commit 811d1cd0dd0dcb9021d2f72638dd6c12b734964c -Merge: 93437952 5a75bcfb -Author: Patrick Schleizer -Date: Sun Nov 5 14:49:43 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5a75bcfb19ac6c555a52cb1600e4efd13a8cfc06 -Merge: 93437952 229032d6 -Author: Patrick Schleizer -Date: Sun Nov 5 14:49:00 2023 -0500 - - Merge pull request #145 from monsieuremre/wifi-and-bluetooth - - Wifi and Bluetooth Patch | Security and Privacy - -commit 93437952b4f64866dfe6067d8caf19415112418d -Author: Patrick Schleizer -Date: Sun Nov 5 14:41:01 2023 -0500 - - readme - -commit f32b5438872ad0b9e10cb7b0519f1f18fce1913e -Merge: 56b90eec 4946f85d -Author: Patrick Schleizer -Date: Sun Nov 5 14:38:20 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 4946f85d43083c64bc3f8f02e26b08f79b622bfe -Merge: 817ca116 1abac794 -Author: Patrick Schleizer -Date: Sun Nov 5 14:37:47 2023 -0500 - - Merge pull request #146 from monsieuremre/thunderbird - - Thunderbird Hardening - -commit 56b90eecbfb21e546d52d1f41ce9361f2843cd71 -Merge: 31786775 817ca116 -Author: Patrick Schleizer -Date: Sun Nov 5 14:35:23 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 817ca116f693893e6dcb69254ee91815d200b8a1 -Merge: d9b5d770 fbd9e5d0 -Author: Patrick Schleizer -Date: Sun Nov 5 14:34:13 2023 -0500 - - Merge pull request #153 from monsieuremre/readme - - Updated Readme - -commit 317867758478619fe1df4ebdb5e22240c40104c0 -Merge: dcead44c d9b5d770 -Author: Patrick Schleizer -Date: Sun Nov 5 14:32:21 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit d9b5d770cfd5f7747f1d606f3136a93034928f30 -Merge: dcead44c ac224b27 -Author: Patrick Schleizer -Date: Sun Nov 5 14:31:26 2023 -0500 - - Merge pull request #150 from monsieuremre/sysreq - - Disable SysRq by default - -commit dcead44cc6d4272b0966562046f9dab1792845b6 -Author: Patrick Schleizer -Date: Sun Nov 5 11:32:46 2023 -0500 - - output - -commit f6bf69b41fa3e1168c2c49884197770e1a78b888 -Author: Patrick Schleizer -Date: Sun Nov 5 11:31:09 2023 -0500 - - update link - -commit 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 21:18:45 2023 +0000 - - undo unnecessary manual activation - -commit 19eceaa8108879ee5477b157fb2175993c487959 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 20:56:46 2023 +0000 - - more fix - -commit a187d23c4187fd08611e5cba85d09666dfd9f735 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 20:56:08 2023 +0000 - - big fix - -commit fbd9e5d017c4b00d838e9f225c7748c4b362f023 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 14:33:35 2023 +0000 - - README.md - -commit 97054b2b1076d6d428996967304b29620923eff4 -Author: Patrick Schleizer -Date: Fri Nov 3 15:55:17 2023 -0400 - - revert enabling kernel module signature enforcement - - due to issues - - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 - - https://github.com/dell/dkms/issues/359 - -commit 978e3e4abd8f55a877dfe0d6e39b45ee9f58ba6d -Author: Patrick Schleizer -Date: Fri Nov 3 14:53:40 2023 -0400 - - readme - -commit 0242c04dc26638dc1250e3f681b46d15459cf8aa -Author: Patrick Schleizer -Date: Fri Nov 3 14:51:14 2023 -0400 - - port to DKMS drop-in folder - - undisplace /etc/dkms/framework.conf.security-misc - moved to /etc/dkms/framework.conf.d/30_security-misc.conf - -commit d1b5a3ffd525ec92554ffc9c666f8007c8522aac -Author: Patrick Schleizer -Date: Fri Nov 3 12:55:34 2023 -0400 - - /usr/sbin/pam-tmpdir-helper exactwhitelist - - https://github.com/Kicksecure/security-misc/pull/147 - -commit 48adb44c6fd157673cdf7fab3b86ecf7c6b31966 -Author: Patrick Schleizer -Date: Fri Nov 3 12:17:24 2023 -0400 - - bumped changelog version - -commit b6d53f698d0ad21a31da6bf74a44577a0c8869fc -Author: Patrick Schleizer -Date: Fri Nov 3 12:17:00 2023 -0400 - - Revert "allow loading unsigned modules due to issues" - - This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. - -commit 04b210ee88589ef9e6e214d3a5a614780244abc9 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:48 2023 -0400 - - bumped changelog version - -commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce -Merge: ceffd2b3 8e66a417 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:33 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8e66a4177868ee7b51dafdb06062b0cb7cbc7415 -Merge: ceffd2b3 7dc99d54 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:00 2023 -0400 - - Merge pull request #147 from monsieuremre/PAM-tmp-files-hardening - - Depend on libpam-tmpdir for very solid extra security - -commit 7dc99d54c0358842745ee48c7cc24f589fd63d14 -Author: Patrick Schleizer -Date: Fri Nov 3 12:09:39 2023 -0400 - - fix - -commit 2a602e78d6ca0f87f11de9a30ae2114468243075 -Merge: 3ee4be65 ceffd2b3 -Author: Patrick Schleizer -Date: Fri Nov 3 12:08:50 2023 -0400 - - Merge branch 'master' into PAM-tmp-files-hardening - -commit ceffd2b3ee453122e66f594ec31dde6ec3bb7187 -Author: Patrick Schleizer -Date: Fri Nov 3 12:06:43 2023 -0400 - - bumped changelog version - -commit cdd66ee3762c441843d421a9e6b11a20580ed7ac -Author: Patrick Schleizer -Date: Fri Nov 3 10:48:46 2023 -0400 - - wrap-and-sort - -commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022 -Author: Patrick Schleizer -Date: Fri Nov 3 10:44:48 2023 -0400 - - readme - -commit d71ac03d96c9861513ff56c68aec9090ef5c50bb -Author: Patrick Schleizer -Date: Fri Nov 3 10:36:15 2023 -0400 - - comment - -commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a -Author: Patrick Schleizer -Date: Fri Nov 3 10:33:02 2023 -0400 - - bumped changelog version - -commit b85d48eb83005da8fd9edc658c71493f407e3670 -Author: Patrick Schleizer -Date: Fri Nov 3 10:31:59 2023 -0400 - - do not change default umask for root - - since this causes permission issues in `/etc/` - - https://github.com/Kicksecure/security-misc/pull/151 - -commit 07540db90d60b10cbd10881b0024d8e8871330de -Author: Patrick Schleizer -Date: Fri Nov 3 09:45:12 2023 -0400 - - Revert "Revert "set default umask to 027"" - - This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. - -commit f8913ceb2e2fdd274011377c41b5d08e7459e4af -Author: Patrick Schleizer -Date: Fri Nov 3 09:43:44 2023 -0400 - - Revert "set default umask to 027" - - This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. - -commit 43bd789c30a562aa60349d019107277a428aece8 -Author: Patrick Schleizer -Date: Fri Nov 3 09:28:08 2023 -0400 - - bumped changelog version - -commit cd216095eb8d9387437e653d7764ec765ce42a10 -Author: Patrick Schleizer -Date: Fri Nov 3 09:12:24 2023 -0400 - - set default umask to 027 - - using package libpam-umask - - https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 - - https://github.com/Kicksecure/security-misc/pull/151 - -commit ac224b270a3a0945d187202f8cca89af0e71a166 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 13:01:55 2023 +0000 - - disable sysrq - -commit 07882f61a8003026a9e4c135a6e18a8fd204060f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:44:19 2023 +0000 - - enable service on install - - not sure if this would be the right way to do it - -commit 9f063584c1f96267b04f8f7fe0eee773f9345370 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:28:41 2023 +0000 - - disable-kernel-module-loading - -commit 3e604618a8ba2531553af4f9af00470bd9629615 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:24:35 2023 +0000 - - harden-module-loading.service - -commit 3ee4be652b28201ba208757ce5144e51c453ad70 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 09:36:58 2023 +0000 - - depend on libpam-tmpdir - -commit 1abac794b564d178df37a385cf0d25bac5842c3c -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 09:15:20 2023 +0000 - - very secure and private defaults - -commit 5a583ca48ce608fee4fe55c1d6948505e83a98d8 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 08:30:26 2023 +0000 - - typo in file name - -commit 229032d691c614a926cf3cf96b44752364e4e087 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:54:05 2023 +0000 - - Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf - -commit 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:52:40 2023 +0000 - - Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf - -commit 76e684cc0ac0544219d200eeefae1356864fe702 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:51:27 2023 +0000 - - Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf - -commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 -Author: Patrick Schleizer -Date: Wed Nov 1 12:26:21 2023 -0400 - - bumped changelog version - -commit bb14a058520b13e242fea9f3022c439c4677bd1d -Merge: 5ed2a5ce 44906e8f -Author: Patrick Schleizer -Date: Wed Nov 1 11:11:54 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 44906e8f398aae6e9565b131b82124e738e2d0d1 -Merge: 5ed2a5ce f2c23a28 -Author: Patrick Schleizer -Date: Wed Nov 1 11:11:27 2023 -0400 - - Merge pull request #142 from monsieuremre/patch-5 - - ssh config - -commit 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a -Author: Patrick Schleizer -Date: Wed Nov 1 11:10:36 2023 -0400 - - bumped changelog version - -commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d -Merge: 7d576842 b7cddd6e -Author: Patrick Schleizer -Date: Wed Nov 1 10:31:04 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b7cddd6e552cb5f5139de91ef2aeae6fde691136 -Merge: 7d576842 c975c3c0 -Author: Patrick Schleizer -Date: Wed Nov 1 10:30:26 2023 -0400 - - Merge pull request #143 from monsieuremre/patch-6 - - new lines 990-security-misc.conf - -commit fc8e201e84e4c777c087fd113c539ca368fd3a31 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:49:24 2023 +0000 - - rename - -commit 90a88225a4fde2f09cc14b24f8467bb1ded90c9d -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:38:31 2023 +0000 - - security-misc.maintscript - -commit 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:34:21 2023 +0000 - - 30_security-misc.conf - -commit b298d152fc10c66892698d9dcae769a44a32037b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:32:08 2023 +0000 - - 30_security-misc.conf - -commit 3d4b04fddc16067ed345074683281e74f41eeadf -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:35:39 2023 +0000 - - 99_ipv6-privacy.conf - -commit e90f62eaabfeee7483af573ef8e9d015ba1977dc -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:34:15 2023 +0000 - - 99_randomize_mac.conf - -commit 604d839537c409604ed2c4c88992ea1a31368f6f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:30:26 2023 +0000 - - 99_ipv6-privacy-extensions.conf - -commit c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 11:07:53 2023 +0000 - - new lines 990-security-misc.conf - - added new recommended hardening settings with comments - -commit f2c23a28319e359c642da2dde424456a1064763f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 10:53:45 2023 +0000 - - ssh config - -commit 7d576842fb6f3c124db2b6deb5abfc095974a67f -Author: Patrick Schleizer -Date: Thu Oct 26 20:08:41 2023 -0400 - - bumped changelog version - -commit 7cff267002485fd0abca98d12b0024e061f4ba51 -Author: Patrick Schleizer -Date: Thu Oct 26 19:31:14 2023 -0400 - - remove duplicates - -commit 928cdb81d43dfd337c82917182d2914d9c9d0915 -Merge: a330a9fd 39fed058 -Author: Patrick Schleizer -Date: Thu Oct 26 19:29:55 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 39fed058f4734029b303fac4ea9a1b11f652fab4 -Merge: 92a6ecc4 99355c61 -Author: Patrick Schleizer -Date: Thu Oct 26 19:27:41 2023 -0400 - - Merge pull request #140 from monsieuremre/patch-3 - - New lines in default permission config - -commit a330a9fd75314931639e7e873adc31c5cc65d555 -Author: Patrick Schleizer -Date: Thu Oct 26 19:20:21 2023 -0400 - - refactor permission-lockdown - -commit 8bf5ff82be706599f33228ecd6df42be0dc29f39 -Merge: 1123d231 92a6ecc4 -Author: Patrick Schleizer -Date: Thu Oct 26 19:15:04 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 92a6ecc40a4d3bd4d8f3cec7dd9b1334c72399dc -Merge: ca9603af 91c44524 -Author: Patrick Schleizer -Date: Thu Oct 26 19:13:34 2023 -0400 - - Merge pull request #141 from monsieuremre/patch-4 - - New permission-lockdown - -commit 1123d23114201988ac3f5f50ab6e74a5307d3d52 -Author: Patrick Schleizer -Date: Thu Oct 26 18:45:07 2023 -0400 - - remount-secure: disable debugging to save space in initrd - -commit 91c445244c47c163e2466f8c4dff710eda20c337 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:41:07 2023 +0000 - - actually we do it once indeed - -commit 88f396264ca9d072e4e5de4e1acaee54f3b39749 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:35:59 2023 +0000 - - avoiding /etc/passwd - -commit b5ba03247a5b5bb1f4e010130e4a575ad1397117 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:31:25 2023 +0000 - - readability - -commit f487752ba1b469eb0b2f85657e2ee0860f58496b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:30:58 2023 +0000 - - not limiting ourselves. we do not do this not just once. - -commit 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:25:24 2023 +0000 - - strip unnecessary - -commit d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 18:17:50 2023 +0000 - - new permission-lockdown - -commit 99355c616974d167e3a5424d63cd56b1f64f0eaf -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 17:45:28 2023 +0000 - - new lines 30_default.conf - -commit ca9603af1713ff37392662c9d1b4251052e7b983 -Author: Patrick Schleizer -Date: Thu Oct 26 12:23:48 2023 -0400 - - bumped changelog version - -commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be -Author: Patrick Schleizer -Date: Thu Oct 26 12:20:48 2023 -0400 - - enable SUID Disabler and Permission Hardener by default - - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 - -commit e5d989af5ac2899985c48d60311856fb86e0ddeb -Author: Patrick Schleizer -Date: Thu Oct 26 12:04:13 2023 -0400 - - comment - -commit 8557e0963ed6159f7f6c816ad4e009cc7323a760 -Author: Patrick Schleizer -Date: Wed Oct 25 17:55:37 2023 -0400 - - bumped changelog version - -commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 -Author: Patrick Schleizer -Date: Wed Oct 25 17:41:05 2023 -0400 - - comment - -commit 5d71217e597aa3366658524ec5395c9f76dd527b -Merge: 6a22351d a2f811af -Author: Patrick Schleizer -Date: Wed Oct 25 17:40:13 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 6a22351d298e475ecae22bb99249a308b294ff9a -Author: Patrick Schleizer -Date: Wed Oct 25 17:30:07 2023 -0400 - - renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf - -commit b7c52800f4c16b1573e372089704a68fd47c5906 -Author: Patrick Schleizer -Date: Wed Oct 25 17:28:43 2023 -0400 - - renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf - renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf - renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf - -commit a2f811aff0cb4e73c3975093012c223127495707 -Merge: 3317332c ee6716e1 -Author: Patrick Schleizer -Date: Wed Oct 25 17:26:46 2023 -0400 - - Merge pull request #135 from monsieuremre/kernel-fix - - Kernel hardening fix - -commit ee6716e178806912da08b671ae31504ed2f3ac56 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Tue Oct 24 20:43:10 2023 +0000 - - security-misc.maintscript - -commit 3317332cb431115f81d832ba974181c74427c884 -Author: Patrick Schleizer -Date: Tue Oct 24 05:51:11 2023 -0400 - - bumped changelog version - -commit 42c802cd1eca3d2586abde871e4842cdf83490c4 -Merge: f3b40f12 5320c11f -Author: Patrick Schleizer -Date: Tue Oct 24 05:30:15 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5320c11f3f92b66b7dcab7ca1f67fcba2de5deba -Merge: f3b40f12 f0857fd5 -Author: Patrick Schleizer -Date: Tue Oct 24 05:22:33 2023 -0400 - - Merge pull request #134 from monsieuremre/patch-1 - - Fix double mount issue for /var/log and /var/tmp - -commit 1f489719efb37492b9c040ba4e332e8dd70fde1f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:58 2023 +0000 - - rename - -commit 9dda6f69a7df792966005f9c6feb057483cd9ea4 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:40 2023 +0000 - - more rename - -commit 89381fe7abcc2f4418b95c3eb290c975bf6d612c -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:23 2023 +0000 - - rename - -commit f0857fd5608525115bd8a96c2f75368263f6f830 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 15:33:05 2023 +0000 - - Fix double mount issue for /var/log and /var/tmp - - Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. - -commit f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 -Author: Patrick Schleizer -Date: Sun Oct 22 19:23:22 2023 -0400 - - bumped changelog version - -commit d2e8a6dad3b94d574cb9c043303160b06893ab97 -Author: Patrick Schleizer -Date: Sun Oct 22 19:21:51 2023 -0400 - - debugging - -commit e7aafd64d4418d43426b310653861f9024a54255 -Author: Patrick Schleizer -Date: Sun Oct 22 19:16:12 2023 -0400 - - refactoring - -commit ee15f749bb4e68350498e52e8505bed43c98cbaf -Author: Patrick Schleizer -Date: Sun Oct 22 16:54:58 2023 -0400 - - bumped changelog version - -commit d521662d04892fb6d5477fa4450fb5488892a87a -Author: Patrick Schleizer -Date: Sun Oct 22 16:49:36 2023 -0400 - - comment - -commit 0e80acf38d430784fbb779f4f10c81bfe8a3813f -Author: Patrick Schleizer -Date: Sun Oct 22 16:45:10 2023 -0400 - - fix - -commit a1c3b87fcee07496af4b42e387b46488b58b73a0 -Author: Patrick Schleizer -Date: Sun Oct 22 16:29:08 2023 -0400 - - bumped changelog version - -commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d -Author: Patrick Schleizer -Date: Sun Oct 22 16:22:08 2023 -0400 - - fix - -commit 9a649ddd091b116c9091f3fa582d411b5186375a -Author: Patrick Schleizer -Date: Sun Oct 22 16:16:40 2023 -0400 - - bumped changelog version - -commit 11382881b56556741fad5f0291ccb57a24e9c617 -Author: Patrick Schleizer -Date: Sun Oct 22 16:12:26 2023 -0400 - - comments - -commit 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 -Author: Patrick Schleizer -Date: Sun Oct 22 16:08:21 2023 -0400 - - improve remount-secure - -commit 555d83792df9aa599ae9e0e7c41af49b0601c1c1 -Author: Patrick Schleizer -Date: Sun Oct 22 15:44:47 2023 -0400 - - bumped changelog version - -commit a88c0a3ad2d83fe72612faf97866e255c5527384 -Author: Patrick Schleizer -Date: Sun Oct 22 15:44:30 2023 -0400 - - fix - -commit 316282952f7d2470c89f268beea01b8bac9bb4bb -Author: Patrick Schleizer -Date: Sun Oct 22 15:40:59 2023 -0400 - - bumped changelog version - -commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 -Author: Patrick Schleizer -Date: Sun Oct 22 15:40:49 2023 -0400 - - fix - -commit 7112eac3be014938f757e0c0def74bb04dc72d2f -Author: Patrick Schleizer -Date: Sun Oct 22 15:37:21 2023 -0400 - - output - -commit f80b5fe3767502f6890bdfb7bc32a602c94828d6 -Author: Patrick Schleizer -Date: Sun Oct 22 15:36:16 2023 -0400 - - fix - -commit ce0babce215dc4ec08101cff5e0d25ad6ec87e70 -Author: Patrick Schleizer -Date: Sun Oct 22 15:35:03 2023 -0400 - - comment - -commit fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 -Author: Patrick Schleizer -Date: Sun Oct 22 15:33:21 2023 -0400 - - bumped changelog version - -commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a -Author: Patrick Schleizer -Date: Sun Oct 22 15:33:11 2023 -0400 - - fix - -commit 36f2acb93f65958b27bae030f1d2bd66a278e073 -Author: Patrick Schleizer -Date: Sun Oct 22 15:28:04 2023 -0400 - - bumped changelog version - -commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 -Author: Patrick Schleizer -Date: Sun Oct 22 15:27:01 2023 -0400 - - fix - -commit 3731716a497c233127bff3febbe22d5cf088aad8 -Author: Patrick Schleizer -Date: Sun Oct 22 15:14:22 2023 -0400 - - fix - -commit eec87a0508a6242430a1f0b8ad341f4c3ea43059 -Author: Patrick Schleizer -Date: Sun Oct 22 15:11:26 2023 -0400 - - fix - -commit f3286cf440992661ba85b5c7e41b92ffaca62cf3 -Author: Patrick Schleizer -Date: Sun Oct 22 15:10:21 2023 -0400 - - fix - -commit eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 -Author: Patrick Schleizer -Date: Sun Oct 22 15:05:33 2023 -0400 - - fix - -commit f44020973897d98fdc21ced748ad64106979829e -Author: Patrick Schleizer -Date: Sun Oct 22 14:46:42 2023 -0400 - - bumped changelog version - -commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 -Author: Patrick Schleizer -Date: Sun Oct 22 14:45:45 2023 -0400 - - fix - -commit c85db586cadbe781704e62405a76e43650046d2c -Author: Patrick Schleizer -Date: Sun Oct 22 14:44:58 2023 -0400 - - improve - -commit 7c0ea4324aa1713f365f7352a3e4db1b703d9750 -Author: Patrick Schleizer -Date: Sun Oct 22 14:39:52 2023 -0400 - - fix - -commit b29b626b41545fd49b67631820ae40d0fe000f22 -Author: Patrick Schleizer -Date: Sun Oct 22 14:30:28 2023 -0400 - - bumped changelog version - -commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 -Author: Patrick Schleizer -Date: Sun Oct 22 14:29:02 2023 -0400 - - fix - -commit 245fad09868c2d84bee66d65ecca32704786919b -Author: Patrick Schleizer -Date: Sun Oct 22 14:00:06 2023 -0400 - - fix - -commit 619f1705e13232680f38bc630f19f2ace32f48ad -Author: Patrick Schleizer -Date: Sun Oct 22 13:58:55 2023 -0400 - - output - -commit 52fa7db0874be85a3db296499ab76f84a5f518db -Author: Patrick Schleizer -Date: Sun Oct 22 13:57:38 2023 -0400 - - output - -commit 8a592c2e371de1136d566e707ba56ce89309230a -Author: Patrick Schleizer -Date: Sun Oct 22 13:56:17 2023 -0400 - - fix remountsecure kernel parameter logic - -commit 3c183294cd8a402418eafc1e657c6524be49c487 -Author: Patrick Schleizer -Date: Sun Oct 22 13:31:55 2023 -0400 - - bumped changelog version - -commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf -Author: Patrick Schleizer -Date: Sun Oct 22 13:31:44 2023 -0400 - - todo - -commit 6675a2e93194ea15daeb22bee707cf49563f69fe -Author: Patrick Schleizer -Date: Sun Oct 22 13:30:50 2023 -0400 - - fix - -commit 4288e10554f854d6dd9be092ddbf6a62686b1549 -Author: Patrick Schleizer -Date: Sun Oct 22 13:25:31 2023 -0400 - - fix, rework remount-secure kernel parameters parsing - -commit b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 -Author: Patrick Schleizer -Date: Sun Oct 22 13:12:25 2023 -0400 - - fix - -commit 28cb53341d48ece9e042caea03e7159b0f93c2ee -Author: Patrick Schleizer -Date: Sun Oct 22 13:11:44 2023 -0400 - - remount-secure dracut module: improve output - -commit f70f36e6cfead0038075d715e430e15aedae459f -Author: Patrick Schleizer -Date: Sun Oct 22 12:55:41 2023 -0400 - - bumped changelog version - -commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 -Author: Patrick Schleizer -Date: Sun Oct 22 12:55:20 2023 -0400 - - remove no longer required remount-service systemd unit - -commit 84ca0ac8a0b6a72a28e030081299b402749b9348 -Author: Patrick Schleizer -Date: Sun Oct 22 12:54:25 2023 -0400 - - improve remount-secure - -commit 1696c37251fe6158118ac3a694c2e11439de5c46 -Author: Patrick Schleizer -Date: Sun Oct 22 11:28:18 2023 -0400 - - bumped changelog version - -commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 -Author: Patrick Schleizer -Date: Sun Oct 22 11:28:08 2023 -0400 - - debugging - -commit 975a017dec26f671b7869ba4ad94b3a4d2faf999 -Author: Patrick Schleizer -Date: Sun Oct 22 11:13:05 2023 -0400 - - bumped changelog version - -commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 -Author: Patrick Schleizer -Date: Sun Oct 22 11:12:54 2023 -0400 - - improve - -commit f1da0ce7461fab2eeb421daa886ddd9856c9fd52 -Author: Patrick Schleizer -Date: Sun Oct 22 11:11:10 2023 -0400 - - fix - -commit 26826e8398c4d3feed07e8e3e095a87bbde9907a -Author: Patrick Schleizer -Date: Sun Oct 22 11:06:34 2023 -0400 - - fix - -commit a423b85f81e0c066271ad7db78902ccddbeabb5a -Author: Patrick Schleizer -Date: Sun Oct 22 10:50:30 2023 -0400 - - bumped changelog version - -commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e -Author: Patrick Schleizer -Date: Sun Oct 22 10:49:53 2023 -0400 - - output - -commit 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 -Author: Patrick Schleizer -Date: Sun Oct 22 10:41:42 2023 -0400 - - refactoring - -commit 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 -Author: Patrick Schleizer -Date: Sun Oct 22 10:40:19 2023 -0400 - - no longer reproducible - -commit fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e -Author: Patrick Schleizer -Date: Sun Oct 22 10:38:48 2023 -0400 - - refactoring - -commit a05bd3dd0e7319807fa7ea523407ec82ce8aa39c -Author: Patrick Schleizer -Date: Sun Oct 22 10:37:02 2023 -0400 - - /home last because most likely to fail - -commit 41077c94fbc1a0c90ee870292fe82e16a70b52f1 -Author: Patrick Schleizer -Date: Sun Oct 22 10:32:24 2023 -0400 - - improve remount-secure - -commit ef69e512bd2e2eba0e292470bfef6336216e2605 -Author: Patrick Schleizer -Date: Sun Oct 22 10:25:57 2023 -0400 - - refactoring - -commit d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 -Author: Patrick Schleizer -Date: Sun Oct 22 10:22:21 2023 -0400 - - use findmnt - -commit 1120d0652ddead556801958973d61502b75f9fc7 -Author: Patrick Schleizer -Date: Sun Oct 22 10:16:53 2023 -0400 - - bumped changelog version - -commit 45ce0ff74d8f42d6a424e0742989008403891f8a -Author: Patrick Schleizer -Date: Sun Oct 22 10:16:43 2023 -0400 - - debugging - -commit b81a991731e912fa0f7d4ca59b0531bafb02a25a -Author: Patrick Schleizer -Date: Sun Oct 22 10:15:11 2023 -0400 - - fix - -commit 292a5c3a8a37bc9dd807913bd76826e57e978b67 -Author: Patrick Schleizer -Date: Sun Oct 22 10:11:31 2023 -0400 - - fix - -commit bb57b1a289cc64cc5b2ab5518c151df5355a9f29 -Author: Patrick Schleizer -Date: Sun Oct 22 10:10:51 2023 -0400 - - fix - -commit 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a -Author: Patrick Schleizer -Date: Sun Oct 22 10:01:54 2023 -0400 - - bumped changelog version - -commit 181a6424796b1cafc87a8d74aad197135381a389 -Author: Patrick Schleizer -Date: Sun Oct 22 10:01:38 2023 -0400 - - root check - -commit 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e -Author: Patrick Schleizer -Date: Sun Oct 22 09:44:17 2023 -0400 - - /var/run -> /run - -commit 33d97a2560fe4aaab24f90057e825802541a408b -Author: Patrick Schleizer -Date: Sun Oct 22 09:39:54 2023 -0400 - - improve output of remount-secure dracut module - -commit c409e3221e179437ed0b162dde1e72cd116ba795 -Author: Patrick Schleizer -Date: Sun Oct 22 09:36:03 2023 -0400 - - implement remount-secure - -commit f472ce690ae350085d40cfd5ec46084dc559a51d -Author: Patrick Schleizer -Date: Sun Oct 22 08:57:35 2023 -0400 - - comments - -commit 90f2b5e11c341c38bb0b11db603ceeba28e14b1c -Author: Patrick Schleizer -Date: Sun Oct 22 08:51:37 2023 -0400 - - code simplification - -commit 167683ce763e97838e62950f00313b63d7c968b0 -Author: Patrick Schleizer -Date: Sun Oct 22 08:50:57 2023 -0400 - - code simplification - -commit 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 -Author: Patrick Schleizer -Date: Sun Oct 22 08:12:30 2023 -0400 - - bumped changelog version - -commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 -Author: Patrick Schleizer -Date: Sun Oct 22 08:10:48 2023 -0400 - - add remount-secure dracut module - -commit f0ee470ecd0fc37125165dd6a5cefb47339b14b4 -Author: Patrick Schleizer -Date: Sun Oct 22 07:51:05 2023 -0400 - - comment - -commit e257f2a3806ba7013e8e47005fde1385044bc8d9 -Author: Patrick Schleizer -Date: Sun Oct 22 07:50:14 2023 -0400 - - remount-secure: - no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut - -commit 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 -Author: Patrick Schleizer -Date: Sun Oct 22 07:06:00 2023 -0400 - - bumped changelog version - -commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 -Author: Patrick Schleizer -Date: Sun Oct 22 06:51:52 2023 -0400 - - move remount-secure to /usr/bin/remount-secure to make it easier to manually run - -commit 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e -Author: Patrick Schleizer -Date: Sun Oct 22 06:48:56 2023 -0400 - - `remount-secure`: add support for `--force`; output - -commit 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 -Author: Patrick Schleizer -Date: Sun Oct 22 06:32:19 2023 -0400 - - debugging - -commit bc768aa196a08218aac0b6ef1c4ca013f2034122 -Author: Patrick Schleizer -Date: Sun Oct 22 06:31:57 2023 -0400 - - output - -commit c069c73109b45fbb8fa230ad4f90f4252db730f2 -Author: Patrick Schleizer -Date: Sun Oct 22 06:29:38 2023 -0400 - - refactoring - -commit abc35927345e14bbe4b9f13d205a648ce7a8bd8d -Author: Patrick Schleizer -Date: Sun Oct 22 06:23:48 2023 -0400 - - remount-secure: stricter error handling - -commit 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 -Author: Patrick Schleizer -Date: Sun Oct 22 05:41:56 2023 -0400 - - documentation - -commit ac63b0eb3db3d168908459fecd6b3275cce015bc -Author: Patrick Schleizer -Date: Sun Oct 22 05:41:11 2023 -0400 - - remove duplicate - -commit ef3f1575733c668f652326cdb4f4fba8c71bf0ed -Author: Patrick Schleizer -Date: Sat Oct 21 14:19:24 2023 -0400 - - bumped changelog version - -commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 -Author: Patrick Schleizer -Date: Sat Oct 21 14:18:50 2023 -0400 - - fix xession environment variable - -commit 43375fa1f4d32f04907edf1297fef737342b49ea -Author: Patrick Schleizer -Date: Sat Oct 21 12:34:59 2023 -0400 - - bumped changelog version - -commit d543825d85a5d84274c21cd85db6df777948606e -Author: Patrick Schleizer -Date: Sat Oct 21 12:24:59 2023 -0400 - - comments - -commit dd43ab634d9ab0a59234798e1b14ba99099c65c9 -Author: Patrick Schleizer -Date: Fri Oct 13 15:22:58 2023 -0400 - - bumped changelog version - -commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 -Author: Patrick Schleizer -Date: Fri Oct 13 15:22:48 2023 -0400 - - fix - -commit 13a4f37e50805a0e51b8f63808e166318e39a074 -Author: Patrick Schleizer -Date: Thu Oct 12 12:51:37 2023 -0400 - - bumped changelog version - -commit 2d4524108445829d7ac80e828e9a1442cf038a6b -Author: Patrick Schleizer -Date: Thu Oct 12 11:37:01 2023 -0400 - - avoid duplicate environment variables - -commit e96e6aa38e29888a64fa35f85becc1596118a812 -Author: Patrick Schleizer -Date: Thu Oct 12 10:43:40 2023 -0400 - - bumped changelog version - -commit fa820e897895eda93011a0f2bbd915ffffcb1459 -Author: Patrick Schleizer -Date: Thu Oct 12 10:40:27 2023 -0400 - - refactoring environment variables loading mechanism - -commit 358e4226f1b3db32e560e4bbe1c663828eac7059 -Author: Patrick Schleizer -Date: Mon Jul 17 11:48:35 2023 -0400 - - bumped changelog version - -commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde -Author: Patrick Schleizer -Date: Mon Jul 17 11:19:07 2023 -0400 - - Kicksecure - -commit ab56b7ca0cf1a2cb6bc19514750ca618f4ebb7fe -Author: Patrick Schleizer -Date: Mon Jul 17 11:10:05 2023 -0400 - - Kicksecure - -commit 29aaf13c13ec1023d33e84442db0f5afeaa4436d -Author: Patrick Schleizer -Date: Fri Jun 23 08:18:12 2023 +0000 - - bumped changelog version - -commit 8a6baea99017fd971ae4a5e89599b87bc945b276 -Author: Patrick Schleizer -Date: Thu Jun 22 16:16:15 2023 +0000 - - comment - -commit 609c8c0697ecf3414e38de9d32dc367a25172802 -Author: Patrick Schleizer -Date: Wed Jun 21 09:36:44 2023 +0000 - - bumped changelog version - -commit 94a326ec7ff8704be224e76b2f3f9c2a12cbd4a7 -Author: Patrick Schleizer -Date: Wed Jun 21 09:11:31 2023 +0000 - - bookworm - -commit b610cdcbcd85ee4c433a3df0662e225b52b592cd -Author: Patrick Schleizer -Date: Fri Jun 16 11:09:02 2023 +0000 - - bumped changelog version - -commit 0c56d3d9d2dd1b40b07226b70d3d1b9343757d1a -Author: Patrick Schleizer -Date: Fri Jun 16 10:49:05 2023 +0000 - - readme - -commit 63599a09d795d82b0f069f88d73fd607129af0ef -Author: Patrick Schleizer -Date: Wed Jun 14 09:59:20 2023 +0000 - - bumped changelog version - -commit 25760f70246dd07376465d9a4222098fd24b8516 -Author: Patrick Schleizer -Date: Tue Jun 13 08:34:41 2023 +0000 - - bookworm - -commit be990188f56f059585cf70589de03afb992b9ea2 -Author: Patrick Schleizer -Date: Mon Jun 12 18:01:55 2023 +0000 - - bumped changelog version - -commit 07b3ce0bcdb6ddb72c7064f527ff4d6250b54ad2 -Author: Patrick Schleizer -Date: Mon Jun 12 16:22:32 2023 +0000 - - Standards-Version: 4.6.1.0 - -commit 4e28ace103e11373d1b5cf5de8be6b1f94c567ce -Author: Patrick Schleizer -Date: Mon May 15 17:31:59 2023 +0000 - - bumped changelog version - -commit b11a336b4ff6c748d20aade6e98b25c251bd8c8e -Merge: c921d4e9 b0b73db3 -Author: Patrick Schleizer -Date: Mon May 15 16:58:11 2023 +0000 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b0b73db3c84f8cc7594b6b181e0e495cd7e92571 -Merge: c921d4e9 cf003dfa -Author: Patrick Schleizer -Date: Mon May 15 12:57:46 2023 -0400 - - Merge pull request #126 from raja-grewal/Comment - - Update comments - -commit cf003dfad85434f5a52524fdd97a7f619ba82429 -Author: Raja Grewal -Date: Tue May 16 02:11:44 2023 +1000 - - Update comments - -commit c921d4e915af50dd1773016b0015be584e1e3f5f -Author: Patrick Schleizer -Date: Mon May 15 11:56:30 2023 +0000 - - bumped changelog version - -commit 39676395f814007f74ce1edb0aee0ada4d4fa478 -Merge: 6511dac1 1f38fcfe -Author: Patrick Schleizer -Date: Mon May 15 11:34:57 2023 +0000 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 1f38fcfefa1ccd732e4500522cc0978bda69ab0b -Merge: d66a9bac 6ab400c9 -Author: Patrick Schleizer -Date: Mon May 15 07:34:16 2023 -0400 - - Merge pull request #125 from JeremyRand/typo - - mmap-rnd-bits: Fix typo in error message - -commit d66a9bac551e7544eed592a69f576d27880e2bf3 -Merge: 6511dac1 9d23717b -Author: Patrick Schleizer -Date: Mon May 15 07:34:00 2023 -0400 - - Merge pull request #124 from JeremyRand/doc-aslr - - README: Document mmap-rnd-bits - -commit 6ab400c9d982bde16271052f181c87255046037e -Author: Jeremy Rand -Date: Tue May 9 10:55:31 2023 +0000 - - mmap-rnd-bits: Fix typo in error message - -commit 9d23717b6d3f94d8fad5ab00628dcbf41fa2cab5 -Author: Jeremy Rand -Date: Mon May 8 13:45:18 2023 +0000 - - README: Document mmap-rnd-bits - -commit 6511dac1d4aea1800ce8e51d1f6cdbae4d31e10c -Author: Patrick Schleizer -Date: Sat May 6 12:00:12 2023 +0000 - - bumped changelog version - -commit 0c10b3f0383d69c2d504b3e346da68b056d1dca8 -Author: Patrick Schleizer -Date: Sat May 6 11:59:59 2023 +0000 - - output - -commit a815c9b9867b0ec56737e60eb1dfeec6a57af6f1 -Author: Patrick Schleizer -Date: Sat May 6 11:54:31 2023 +0000 - - bumped changelog version - -commit 5d4d04a2ebeeea7e096c1680779f2897a03838c6 -Author: Patrick Schleizer -Date: Sat May 6 11:54:00 2023 +0000 - - output - -commit 2d465c624975cc2ca308878e0ef1508316d3316e -Author: Patrick Schleizer -Date: Sat May 6 11:51:25 2023 +0000 - - refactoring - -commit b756314eb894dde4d017e0aec5876b56f0178de4 -Author: Patrick Schleizer -Date: Fri May 5 15:09:32 2023 +0000 - - bumped changelog version - -commit 014a28ba07406e5d69f86e90ddb8a27b3778c3a8 -Author: Patrick Schleizer -Date: Fri May 5 15:04:21 2023 +0000 - - comment - -commit ec01c1a99630f44a73763b019a1bad6dc52bbf4e -Author: Patrick Schleizer -Date: Fri May 5 15:02:31 2023 +0000 - - minor mmap-rnd-bits improvements - -commit 3dc406f138ee3dc81b54db2c8c4b795fc6b7c9d5 -Author: Patrick Schleizer -Date: Fri May 5 15:01:22 2023 +0000 - - minor - -commit 40e940ec58928049bb38b85d15beaead80740192 -Author: Patrick Schleizer -Date: Fri May 5 14:54:24 2023 +0000 - - minor mmap-rnd-bits improvements - -commit f4fd0f90120e8983b37bc5822cf98a215d25990e -Author: Patrick Schleizer -Date: Fri May 5 14:53:07 2023 +0000 - - minor mmap-rnd-bits improvements - -commit a8e4121befe19bb7d2f74582655a14bded23a37d -Author: Patrick Schleizer -Date: Fri May 5 14:52:07 2023 +0000 - - minor mmap-rnd-bits improvements - -commit 9184e6bb921a9c7356e8d2c7216a1da91f963304 -Author: Patrick Schleizer -Date: Fri May 5 14:51:19 2023 +0000 - - fix - -commit 89168ef40ce713b27974e4e38f6e3e63646d78bc -Author: Patrick Schleizer -Date: Fri May 5 14:49:56 2023 +0000 - - minor mmap-rnd-bits improvements - -commit d6d79e96c9a3f25b75d92a46dc97d6191d6ac691 -Author: Patrick Schleizer -Date: Fri May 5 14:44:29 2023 +0000 - - minor mmap-rnd-bits improvements - -commit 15d0ee100834e01e3f17ee179c3120f37eb3cae5 -Merge: 1137e6c9 2d40bbc8 -Author: Patrick Schleizer -Date: Fri May 5 14:37:34 2023 +0000 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 2d40bbc8fec7ceea47b64fdebc9e751b26e0cf27 -Merge: 5c6db288 48a68ba2 -Author: Patrick Schleizer -Date: Fri May 5 10:14:43 2023 -0400 - - Merge pull request #120 from JeremyRand/aslr-ppc64le - - vm.mmap_rnd_bits: Fix ppc64le - -commit 48a68ba237895c0c6c24ebd256ae6a9adec2628f -Author: Jeremy Rand -Date: Sat Apr 22 04:43:41 2023 +0000 - - mmap-rnd-bits: Handle unwritable /etc/sysctl.d/ - -commit 434cfb427f739258bd3280ce148cdbe85c800f8a -Author: Jeremy Rand -Date: Sat Apr 22 04:36:05 2023 +0000 - - mmap-rnd-bits: Check that configs are valid integers - -commit 76ca8a27f94d89ed783b900257934c0749e631ce -Author: Jeremy Rand -Date: Sat Apr 22 04:29:14 2023 +0000 - - mmap-rnd-bits: Handle missing kernel config file - -commit 2cf105700a98297f65026e43b435fe017a04ba07 -Author: Jeremy Rand -Date: Sat Apr 22 04:08:20 2023 +0000 - - postinst: Don't fail if mmap-rnd-bits fails - -commit 61f63255acdf942e52af35d7f6d1c271a671e6f7 -Author: Jeremy Rand -Date: Fri Mar 24 12:32:58 2023 +0000 - - vm.mmap_rnd_bits: Fix ppc64le - - Probably fixes a bunch of other non-x86_64 arches too. - -commit 5c6db28881463e8c764872a8cd268c23ac64b8f1 -Merge: 8a34d6c0 ed5f8be9 -Author: Patrick Schleizer -Date: Fri Mar 31 04:52:55 2023 -0400 - - Merge pull request #122 from raja-grewal/tcp - - Remove outdated comment about SACK, DSACK, and FACK - -commit 8a34d6c067bdebc513f34cd3c434b0675f118e10 -Merge: 1137e6c9 7a4212dd -Author: Patrick Schleizer -Date: Fri Mar 31 04:52:18 2023 -0400 - - Merge pull request #121 from raja-grewal/copyright - - Update Copyright - -commit ed5f8be9ebd4f34c8b8de78abe0a8df0775b80aa -Author: Raja Grewal -Date: Thu Mar 30 19:17:43 2023 +1100 - - Remove outdated comment about SACK, DSACK, and FACK - -commit 7a4212dd76c866e1db4dd4875e51c0d49bb3574d -Author: Raja Grewal -Date: Thu Mar 30 17:08:47 2023 +1100 - - Update copyright - -commit 1137e6c9104565b8f7546a9a5450ec2c2330efb7 -Author: Patrick Schleizer -Date: Mon Jan 30 05:58:47 2023 -0500 - - bumped changelog version - -commit 8c3204a5e42b0c4dc6ff9c66568ac78abc4dbd47 -Author: Patrick Schleizer -Date: Wed Jan 25 15:20:30 2023 -0500 - - comment - -commit 65c29f493b56798bc67de7ea451f8f65d99d3093 -Author: Patrick Schleizer -Date: Wed Jan 25 15:13:19 2023 -0500 - - move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` - - so ram-wipe can `config-package-dev` `hide` this config file - -commit 56c7c57b3a3929f57c9173f9156b2b9f7f7f854e -Author: Patrick Schleizer -Date: Tue Jan 24 07:09:40 2023 -0500 - - bumped changelog version - -commit b87d9eb86544a7f06772a0db803711b49ec3f554 -Author: Patrick Schleizer -Date: Tue Jan 24 07:08:13 2023 -0500 - - lintian - -commit a4820086508a64156aa222d61d5f0f88bf56fb3e -Author: Patrick Schleizer -Date: Tue Jan 24 07:05:53 2023 -0500 - - bumped changelog version - -commit 7bda2ad3e8f30668428e054f57613d7c2ed2a4d6 -Author: Patrick Schleizer -Date: Tue Jan 24 06:34:17 2023 -0500 - - move ram-wipe scripts to dedicated ram-wipe package - -commit 11d0bb2c006eb7add5f9b0e70a199098972af25e -Author: Patrick Schleizer -Date: Mon Jan 9 07:05:18 2023 -0500 - - bumped changelog version - -commit c50665218776733919845044b39466c57117542d -Author: Patrick Schleizer -Date: Mon Jan 9 07:05:06 2023 -0500 - - fix - -commit b3d85f115cf486f4a2805d954ba6dd741817dd71 -Author: Patrick Schleizer -Date: Mon Jan 9 07:02:01 2023 -0500 - - bumped changelog version - -commit 6faa050dd8d26bd6436688b32bbc7a6515f9cb14 -Author: Patrick Schleizer -Date: Mon Jan 9 06:54:04 2023 -0500 - - migrate ram-wipe to dedicated package - -commit ad5d0d4b12e73b74166aafb5c34252f1e1af1854 -Author: Patrick Schleizer -Date: Mon Jan 9 06:37:45 2023 -0500 - - disable kexec (revert enabling kexec) - - remove kexec-utils for ram-wipe since moved to its own package - -commit 87c4e77c017aba7d57ae1fc7cf41a1f3143f1a04 -Author: Patrick Schleizer -Date: Mon Jan 9 06:23:00 2023 -0500 - - migrate to ram-wipe package - -commit 3867acf723f26416a047260010518829adcefc03 -Author: Patrick Schleizer -Date: Mon Jan 9 05:34:48 2023 -0500 - - bumped changelog version - -commit d769099db1dbf90350838430cda2de7196076c5d -Author: Patrick Schleizer -Date: Mon Jan 9 05:34:07 2023 -0500 - - use warn instead of info for now - - because dracut does not show info messages when kernel parameter quiet is set - -commit 7fa6946694a997e04b17ecb3a167d767543093a2 -Author: Patrick Schleizer -Date: Sun Jan 8 07:17:02 2023 -0500 - - bumped changelog version - -commit f3b84e15be40ef64969b70bc62ab4bf8d40352b6 -Author: Patrick Schleizer -Date: Sun Jan 8 07:16:18 2023 -0500 - - refactoring - -commit 96d6ca7ae01d537ab972798417b9453d57c03cd7 -Author: Patrick Schleizer -Date: Sun Jan 8 07:09:09 2023 -0500 - - improve kernel and initrd file detection - -commit 8367b27a0df2e6ea5bc2d57d1520cfdd2f4d35e2 -Author: Patrick Schleizer -Date: Sun Jan 8 07:08:18 2023 -0500 - - output - -commit da0fc9f5bd5d1551f46fb5625010b317d30274b3 -Author: Patrick Schleizer -Date: Sun Jan 8 07:07:43 2023 -0500 - - improve kernel and initrd file detection - -commit 5b11eecaecdec7487224b90708da82c10ccc4d63 -Author: Patrick Schleizer -Date: Sun Jan 8 06:45:10 2023 -0500 - - refactoring - -commit e81dd6cd25f58871c1f6b4a082f81eec34a518b5 -Author: Patrick Schleizer -Date: Sat Jan 7 18:13:57 2023 -0500 - - bumped changelog version - -commit 938b87d26c195b6804796d4fa6050a453278700c -Author: Patrick Schleizer -Date: Sat Jan 7 18:06:10 2023 -0500 - - comment - -commit 0b1310a21944939d94de18d8ac6d494446d23d0c -Author: Patrick Schleizer -Date: Sat Jan 7 18:05:47 2023 -0500 - - output - -commit 2fd302f580509842d290b2b0a27079dca445d5cd -Author: Patrick Schleizer -Date: Sat Jan 7 18:02:21 2023 -0500 - - output - -commit 921bc3e867411e5a96ca3e4641a7501038cf5139 -Author: Patrick Schleizer -Date: Sat Jan 7 17:49:24 2023 -0500 - - bumped changelog version - -commit 080abe574ba10b8365587a1c89085efe88f210ee -Author: Patrick Schleizer -Date: Sat Jan 7 17:48:21 2023 -0500 - - output - -commit 5689c07f97d2775b9445f75a10554e70875a5636 -Author: Patrick Schleizer -Date: Sat Jan 7 17:37:46 2023 -0500 - - comment - -commit 8e2db269b01e5d3c28346dd7713074a346fa3e72 -Author: Patrick Schleizer -Date: Sat Jan 7 17:36:51 2023 -0500 - - cleanup - -commit a07af631559e9c9312c263826969b5b028509a2e -Author: Patrick Schleizer -Date: Sat Jan 7 17:35:56 2023 -0500 - - output - -commit 1d22ebde08984968deb143dab244a2b6e30d45e9 -Author: Patrick Schleizer -Date: Sat Jan 7 17:23:35 2023 -0500 - - bumped changelog version - -commit 539156c0dad74c584adb02beacdcf7a3a9b8b982 -Author: Patrick Schleizer -Date: Sat Jan 7 17:23:25 2023 -0500 - - drop_caches - -commit 02f44459ad194444122e98a9f743c2725edb4e43 -Author: Patrick Schleizer -Date: Sat Jan 7 17:22:45 2023 -0500 - - DRACUT_QUIET=no - -commit abbaea582de898e48a852a0a153fe336341afe17 -Author: Patrick Schleizer -Date: Sat Jan 7 17:16:23 2023 -0500 - - bumped changelog version - -commit ab89d0e06e68fa47fa4058416a6c8700551f1b9a -Author: Patrick Schleizer -Date: Sat Jan 7 16:59:00 2023 -0500 - - cleanup - -commit 2e833b40a1af1f194ec392ff0c05b0060bb27fe8 -Author: Patrick Schleizer -Date: Sat Jan 7 16:43:09 2023 -0500 - - prevent "wait: pid 55 is not a child of this shell" - -commit 3777ecba8568cf5458b05b3eeedf98f0ba51cd69 -Author: Patrick Schleizer -Date: Sat Jan 7 16:34:19 2023 -0500 - - comment - -commit e0ded5e69d38a02f9896277a67c0d209e4ee4ad4 -Author: Patrick Schleizer -Date: Sat Jan 7 16:34:04 2023 -0500 - - comment - -commit 996c6af2d84cf23f323ca80c04fab26beea2aa1b -Author: Patrick Schleizer -Date: Sat Jan 7 16:31:23 2023 -0500 - - lower debugging - -commit 4fca8f4225f134316e734d5f85d12b9e39b99b0f -Author: Patrick Schleizer -Date: Sat Jan 7 16:28:11 2023 -0500 - - comment - -commit fa579cad8980c8d9231a9e2682267910544be175 -Author: Patrick Schleizer -Date: Sat Jan 7 16:20:48 2023 -0500 - - bumped changelog version - -commit c9107bb044e3038d837e371aa7467edcedbbdb16 -Author: Patrick Schleizer -Date: Sat Jan 7 16:11:48 2023 -0500 - - debugging - -commit b7bb24f984cb5669d9cc9b3522ee57a05070cef9 -Author: Patrick Schleizer -Date: Sat Jan 7 16:09:11 2023 -0500 - - description - -commit 2bd9cc5bc1ac94d039a7e515d3a839af820fb4be -Author: Patrick Schleizer -Date: Sat Jan 7 16:08:12 2023 -0500 - - output - -commit 2456fed3614268abfb238f3a0783719adb45b711 -Author: Patrick Schleizer -Date: Sat Jan 7 16:00:42 2023 -0500 - - output - -commit c0b5fea6806ea07b667a341b2400aacb7191b27f -Author: Patrick Schleizer -Date: Sat Jan 7 15:59:52 2023 -0500 - - protect against wipe RAM reboot loop - -commit c1b87d250c4e5decd726e7fd67b482ff1eaecbf1 -Author: Patrick Schleizer -Date: Sat Jan 7 15:37:47 2023 -0500 - - bumped changelog version - -commit 91aedb234aa7c516dca8016f6b82536cfe25f410 -Author: Patrick Schleizer -Date: Sat Jan 7 15:36:36 2023 -0500 - - output - -commit 368ad8e636ae30eb60c8f2c6ce7117970a77c021 -Author: Patrick Schleizer -Date: Sat Jan 7 15:36:05 2023 -0500 - - cleanup - -commit d8bf40f7a28f53f2f51c41b77663e5a40a5d8fb4 -Author: Patrick Schleizer -Date: Sat Jan 7 15:35:45 2023 -0500 - - refactoring - -commit 166a6863a1c249e68e3f38109b115503bc5663ec -Author: Patrick Schleizer -Date: Sat Jan 7 15:35:15 2023 -0500 - - output - -commit 20596488be39f92f069523a3d86c0e6b6ec15399 -Author: Patrick Schleizer -Date: Sat Jan 7 15:34:20 2023 -0500 - - long options - -commit 1e19c2cbad8cdf97f6bb460c90cfa330492b8019 -Author: Patrick Schleizer -Date: Sat Jan 7 15:32:25 2023 -0500 - - Depends: kexec-tools - - required for cold boot attack defense second RAM wipe after reboot - -commit b0630f58c136d6c7a964447806ec8ee603a73aa8 -Author: Patrick Schleizer -Date: Sat Jan 7 15:24:05 2023 -0500 - - debugging - -commit dde01f36634337a24d0cd37cfe5a456ff77e8b0e -Author: Patrick Schleizer -Date: Sat Jan 7 15:23:23 2023 -0500 - - long options - -commit 6e0926eece54a55502fa67c2abedf5b718e306e6 -Author: Patrick Schleizer -Date: Sat Jan 7 15:22:58 2023 -0500 - - long options - -commit 51a5f68c7654774d37986916029607da588189ab -Author: Patrick Schleizer -Date: Sat Jan 7 15:22:25 2023 -0500 - - refactoring - -commit 83800fcb4fd365aab58a5f70f78f39af7d9371dc -Author: Patrick Schleizer -Date: Sat Jan 7 15:18:58 2023 -0500 - - --no-legend - -commit 822cf646182f8ff649ea08da2fd4365022871a61 -Author: Patrick Schleizer -Date: Sat Jan 7 15:13:36 2023 -0500 - - output - -commit bb2f0a3c4421e3686477a6dff81bb87d5dcd836f -Author: Patrick Schleizer -Date: Sat Jan 7 15:12:15 2023 -0500 - - minor - -commit c3a822af0e9c8bb6c9b34b732ba48710e3ee1974 -Author: Patrick Schleizer -Date: Sat Jan 7 15:09:25 2023 -0500 - - test if readable - -commit 227871c12c57ecc5ff6d4075ea59a7dc9eca3dd3 -Author: Patrick Schleizer -Date: Sat Jan 7 15:07:34 2023 -0500 - - output - -commit c09f4da1922f40f666dae0570295b5ab5c02e8a9 -Author: Patrick Schleizer -Date: Sat Jan 7 15:06:56 2023 -0500 - - code simplification - -commit 01fee8a7b4a12c8c2be4173337decc37ec3e6019 -Author: Patrick Schleizer -Date: Sat Jan 7 15:06:31 2023 -0500 - - refactoring - -commit f675f8da0d33ab18efa782ee155a8632e9a3dc0f -Author: Patrick Schleizer -Date: Sat Jan 7 15:05:58 2023 -0500 - - quotes - -commit d0daf75db3529e206565604a63e11ee1268ed39b -Author: Patrick Schleizer -Date: Sat Jan 7 15:05:24 2023 -0500 - - quotes - -commit 8bcf7e3c235c1193f3a6d43a7c8b23b50e972de7 -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:57 2023 -0500 - - minor - -commit 2cc3c6c59ca88cf44751bc2e9bb7055b46102284 -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:42 2023 -0500 - - lower debugging - -commit 10932bb5d83c469f556b46f42ee517e882d87a4f -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:23 2023 -0500 - - minor - -commit c88e95ce33f30f67726ac086c1b8d020b1024ebc -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:07 2023 -0500 - - output - -commit 06034d2e4f97712fc84ad75e3fa8ba6bf4fccfee -Author: Patrick Schleizer -Date: Sat Jan 7 15:03:06 2023 -0500 - - fix - -commit 059ebb212d03f5d01d46362530702dbeaefdce5e -Author: Patrick Schleizer -Date: Sat Jan 7 14:35:30 2023 -0500 - - comment - -commit c0304ec029198665aaf63c843f5b7d5567f95208 -Author: Patrick Schleizer -Date: Sat Jan 7 14:35:09 2023 -0500 - - minor - -commit d5271d6250f0f6ea5adf7bc71fc48fddab1a9af4 -Author: Patrick Schleizer -Date: Sat Jan 7 14:31:40 2023 -0500 - - bumped changelog version - -commit d31c17ea047fbbd698ad9f074a00d6fba2aaf283 -Author: Patrick Schleizer -Date: Sat Jan 7 14:31:14 2023 -0500 - - fix - -commit 41d116aa2f6d5ab33a1d5889f6ae251e5b8b5538 -Author: Patrick Schleizer -Date: Sat Jan 7 14:30:12 2023 -0500 - - lintian - -commit e83ba18553832134b2f6da6ce98b0ee0c852961e -Author: Patrick Schleizer -Date: Sat Jan 7 14:29:12 2023 -0500 - - minor - -commit 53ab93d8f6553eab1682290d42faf0d466f06219 -Author: Patrick Schleizer -Date: Sat Jan 7 14:27:42 2023 -0500 - - bumped changelog version - -commit bb121e52bbab151b2104f1a333cabc3889ef47b0 -Author: Patrick Schleizer -Date: Sat Jan 7 14:27:22 2023 -0500 - - chmod +x - -commit 42ab341a58de4c54b20b8f6dc4e048ce61068cf4 -Author: Patrick Schleizer -Date: Sat Jan 7 12:57:36 2023 -0500 - - bumped changelog version - -commit d37b19fb6bb3cadbb74d011be026fd8d2653ac17 -Author: Patrick Schleizer -Date: Sat Jan 7 12:55:05 2023 -0500 - - comment - -commit 0367250dc74f9e6ec38f9da5809ff661493134a8 -Author: Patrick Schleizer -Date: Sat Jan 7 12:54:35 2023 -0500 - - comment - -commit c1df2fd601f3445a0a811a679efa7d2176026558 -Author: Patrick Schleizer -Date: Sat Jan 7 12:52:14 2023 -0500 - - comment - -commit c2b20603fdd62a3f82c842c7ebeaad0f70e005d0 -Author: Patrick Schleizer -Date: Sat Jan 7 12:49:18 2023 -0500 - - output - -commit 999a82ed946c8fd57654a0a90e2a2e53ef98a788 -Author: Patrick Schleizer -Date: Sat Jan 7 12:46:21 2023 -0500 - - output - -commit 2860560edb7951a8ac9de1c23c9655c655b40f23 -Author: Patrick Schleizer -Date: Sat Jan 7 12:43:07 2023 -0500 - - minor - -commit 450ff378b067070618e4a972f8131acac5b292e0 -Merge: 929f49f3 b8e82fff -Author: Patrick Schleizer -Date: Sat Jan 7 12:38:14 2023 -0500 - - Merge remote-tracking branch 'friedy10/master' - -commit b8e82fffca0138afaf20e1b2faf755ce1533af45 -Author: Friedrich Doku -Date: Sat Jan 7 11:31:02 2023 -0500 - - Get rid of /dev/kmsg - -commit 78a4fad6674bb11fa682b908e0d3bc63705e7d20 -Author: Friedrich Doku -Date: Sat Jan 7 11:14:31 2023 -0500 - - Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec - -commit 8da3b9c40c6ee073addcc06d5227b3043438b768 -Author: Friedrich Doku -Date: Fri Jan 6 21:40:17 2023 -0500 - - fix last line - -commit 7cf51a1b433bfb2ccf4fa14b7807184e9e3681c5 -Author: Friedrich Doku -Date: Fri Jan 6 21:32:57 2023 -0500 - - Checking job queue instead of dbus - -commit 4b7053a6353cf0e092a6ef712e955b4318671bfc -Author: Friedrich Doku -Date: Fri Jan 6 13:53:28 2023 -0500 - - Update wipe-ram.sh - -commit 779ad24b573b83c08e89569e5213e018377d1535 -Author: Friedrich Doku -Date: Fri Jan 6 13:53:18 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit d45ba826bca6f5efef846de01a34a0a8c7936442 -Author: Friedrich Doku -Date: Fri Jan 6 13:53:10 2023 -0500 - - Update module-setup.sh - -commit b3d4314a069a608380ca9dd01d76c653bdb87078 -Author: Friedrich Doku -Date: Fri Jan 6 13:52:51 2023 -0500 - - Update wipe-ram.sh - -commit 33877250172349cccb2c776c1fa7aed2e8ad716f -Author: Friedrich Doku -Date: Fri Jan 6 13:52:42 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit ec68ee6ded7294c161b3d0793bf8874b12262190 -Author: Friedrich Doku -Date: Fri Jan 6 13:52:32 2023 -0500 - - Update module-setup.sh - -commit 014d10b9778907a9282ec337023f8c2b01b0ca6b -Author: Friedrich Doku -Date: Fri Jan 6 13:52:09 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare.service - -commit 62dcdcf7649175e0587a84708e8f0aa318a45d30 -Author: Friedrich Doku -Date: Fri Jan 6 13:51:45 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare - -commit f4637509205c11eddaa13151b93c961e9d345be6 -Author: Friedrich Doku -Date: Fri Jan 6 13:48:22 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare.service - -commit 14abfbfccdd3403d90a16dd5b2a1057ccf4da3d5 -Author: Friedrich Doku -Date: Fri Jan 6 13:48:03 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare - -commit 37a5264696797c0807570606361e04cb8dcb2395 -Author: Friedrich Doku -Date: Fri Jan 6 13:47:34 2023 -0500 - - Update wipe-ram.sh - -commit 7ac45acd0f3e3e0a68e3fc4036787e8e7d4ebe9f -Author: Friedrich Doku -Date: Fri Jan 6 13:47:23 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit 114a37fcd39ff20ddd9e8cca829763a9b96a8115 -Author: Friedrich Doku -Date: Fri Jan 6 13:47:14 2023 -0500 - - Update module-setup.sh - -commit 1eeb32b7b96ab1df63d808b6715fef7a6e1a9482 -Author: Friedrich Doku -Date: Fri Jan 6 13:47:01 2023 -0500 - - Update wipe-ram.sh - -commit c5accc5ad191fe54a96e12cd1f1286508da8243c -Author: Friedrich Doku -Date: Fri Jan 6 13:46:51 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit f9ebc3cfa86674025ccd65c22cde2427ea2f4ae3 -Author: Friedrich Doku -Date: Fri Jan 6 13:46:40 2023 -0500 - - Update module-setup.sh - -commit 28687092ef4f57afab5e8d32f68492799694a379 -Author: Friedrich Doku -Date: Fri Jan 6 12:52:36 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare - -commit d67d3c1d7d788fff589806457ff140e8f82089a0 -Author: Friedrich Doku -Date: Fri Jan 6 12:51:18 2023 -0500 - - Update wipe-ram.sh - -commit 7fa64d68423d24668e44eb0d7e19ccf4845ee711 -Author: Friedrich Doku -Date: Fri Jan 6 12:50:58 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit 14c7239681300edc4f715bc96c5235cddf677c60 -Author: Friedrich Doku -Date: Fri Jan 6 12:50:42 2023 -0500 - - Update module-setup.sh - -commit 73913ea5afef8354f433f7cf87c7cd64c16be0a0 -Author: Friedrich Doku -Date: Fri Jan 6 12:49:34 2023 -0500 - - Added checks - -commit a7015f4ddff892cab17f96713ddb0a720ebb7901 -Author: Friedrich Doku -Date: Fri Jan 6 10:50:34 2023 -0500 - - added files - -commit 929f49f333fc88d91ed4cef849921b0b4a69bfea -Author: Patrick Schleizer -Date: Sun Dec 18 14:37:51 2022 -0500 - - bumped changelog version - -commit 75beb52bd5b7cee4a48eead53dbbe7fac9f6cc9e -Merge: 98f753d8 58b622f0 -Author: Patrick Schleizer -Date: Sun Dec 18 06:24:41 2022 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 58b622f0fe373b6e2fb30b9564b22f1064f690b0 -Merge: 98f753d8 f81714be -Author: Patrick Schleizer -Date: Sun Dec 18 06:23:26 2022 -0500 - - Merge pull request #114 from raja-grewal/framebuffer - - Add some framebuffer drivers into blacklist - -commit f81714be506d1b15c0e79cbe8378bf8a18a2256f -Merge: d67845fe 98f753d8 -Author: Raja Grewal -Date: Tue Dec 13 05:14:56 2022 +0000 - - Merge branch 'Kicksecure:master' into framebuffer - -commit d67845fea89f4a74ed4b0a6eefbf2bf228b13a1b -Author: Raja Grewal -Date: Tue Dec 13 16:11:24 2022 +1100 - - Typo - -commit 98f753d8ffcf6673a3130d45c23b84a4c35917b1 -Author: Patrick Schleizer -Date: Thu Nov 24 07:21:58 2022 -0500 - - bumped changelog version - -commit 6d7a78262464c054c46df155605a480f1b32f22c -Author: Patrick Schleizer -Date: Thu Nov 24 07:21:46 2022 -0500 - - fix - -commit 421f03ae9e648d366146415532d4dd9dda106980 -Author: Patrick Schleizer -Date: Thu Nov 24 07:20:56 2022 -0500 - - fix - -commit ad1e722879ef049ef421f0062ee383770d66bfee -Author: Patrick Schleizer -Date: Thu Nov 24 07:00:33 2022 -0500 - - bumped changelog version - -commit a806c782d78d691617dd650808a0403ce72d4a1a -Author: Patrick Schleizer -Date: Thu Nov 24 07:00:23 2022 -0500 - - fix - -commit 4601e106c4823f2cb0dc7a8ba601670395c96326 -Author: Patrick Schleizer -Date: Thu Nov 24 06:49:26 2022 -0500 - - bumped changelog version - -commit 39b35ef9ac7489685df5486334a0acf5936e9b47 -Author: Patrick Schleizer -Date: Thu Nov 24 06:49:15 2022 -0500 - - fix - -commit 73963a9e6847fd8099093da1253267d79db7d261 -Author: Patrick Schleizer -Date: Thu Nov 24 06:31:37 2022 -0500 - - bumped changelog version - -commit d05c10172178d04781976026243297fa153125a0 -Author: Patrick Schleizer -Date: Thu Nov 24 06:31:24 2022 -0500 - - debugging - -commit 36454c2dbf43de4805f2f156b05d263c37b9615a -Author: Patrick Schleizer -Date: Thu Nov 24 06:25:47 2022 -0500 - - debugging - -commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0 -Author: Patrick Schleizer -Date: Thu Nov 24 06:24:14 2022 -0500 - - debugging - -commit 97722d1926bc106a0645783fcb55b7d5691c873b -Author: Patrick Schleizer -Date: Thu Nov 24 06:14:15 2022 -0500 - - bumped changelog version - -commit 497b5b45442b1293b130fef63de1b84d091d27eb -Author: Patrick Schleizer -Date: Thu Nov 24 06:14:04 2022 -0500 - - fix - -commit 6f695902fb70cbbc95b71f827216ab84edcfeb83 -Author: Raja Grewal -Date: Wed Nov 23 23:53:40 2022 +1100 - - Add comment about legacy Apple fiesystems - -commit d7222b5678aa182866c389d8a88f55b6488e74e0 -Author: Patrick Schleizer -Date: Tue Nov 22 06:03:13 2022 -0500 - - bumped changelog version - -commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 -Author: Patrick Schleizer -Date: Tue Nov 22 05:57:30 2022 -0500 - - pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) - -commit d419898ee494fb159ed6811a719dbb4a5ffb469a -Author: Patrick Schleizer -Date: Thu Nov 17 10:15:36 2022 -0500 - - bumped changelog version - -commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 -Author: Patrick Schleizer -Date: Wed Nov 16 02:01:23 2022 -0500 - - pam-info refactoring - -commit caf0099064747a2048363e3600a53af51df549ad -Author: Patrick Schleizer -Date: Wed Nov 16 02:00:32 2022 -0500 - - pam-info refactoring - -commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce -Author: Patrick Schleizer -Date: Wed Nov 16 01:56:01 2022 -0500 - - comment - -commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5 -Author: Patrick Schleizer -Date: Wed Nov 16 01:55:14 2022 -0500 - - pam-info fix - -commit ae113442a162969561a24fcf17718ceb6a11d928 -Author: Patrick Schleizer -Date: Wed Nov 16 01:49:45 2022 -0500 - - pam-info refactoring - -commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd -Author: Patrick Schleizer -Date: Wed Nov 16 01:44:21 2022 -0500 - - pam-info refactoring - -commit e5d7ab7082908e64596ccd1da835a781cae22456 -Author: Patrick Schleizer -Date: Tue Nov 15 12:44:12 2022 -0500 - - comment - -commit 23b936b573c8989222a50d1ef8c35dc95589bb0e -Author: Patrick Schleizer -Date: Tue Nov 15 12:31:14 2022 -0500 - - also support /usr/local/etc/pam-info-debug - -commit 95487346dbb18c4ac9133fc21b4abed12dc346b3 -Author: Patrick Schleizer -Date: Tue Nov 15 12:29:41 2022 -0500 - - pam-info: create debug log file ~/pam-info-debug.txt - - when file /etc/pam-info-debug exists - -commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a -Author: Patrick Schleizer -Date: Tue Nov 15 12:00:59 2022 -0500 - - comments - -commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532 -Author: Patrick Schleizer -Date: Tue Nov 15 11:58:50 2022 -0500 - - debugging - -commit daa30d4e7830ba38ed52f83e6ac93c3a4e03ee33 -Author: Raja Grewal -Date: Wed Nov 9 20:43:59 2022 +1100 - - Include several framebuffer drivers into blacklist - - These were previously commented out to test for compatibility issues. - -commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1 -Author: Patrick Schleizer -Date: Wed Aug 24 18:28:39 2022 -0400 - - bumped changelog version - -commit cdfc175953a8ab358bb8e6db2610df11733ba258 -Merge: ff845146 ae4d4989 -Author: Patrick Schleizer -Date: Mon Aug 22 06:09:30 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ae4d4989b0e8ea79b5661f098e9814379ff9401e -Merge: ff845146 d500205f -Author: Patrick Schleizer -Date: Mon Aug 22 06:09:40 2022 -0400 - - Merge pull request #113 from raja-grewal/master - - Comment out machine check exception - -commit d500205f556ba896417eb0bae1df0144b00ef7b9 -Author: Raja Grewal -Date: Sun Aug 21 23:03:13 2022 +1000 - - Update README.md - -commit 92669dba186c6ac40ff601fd39639945cd7633c6 -Author: Raja Grewal -Date: Sun Aug 21 23:02:44 2022 +1000 - - Comment out machine check exception - -commit ff8451469ad3b9cbd101ca4b93d72a2ac6cebe37 -Author: Patrick Schleizer -Date: Sat Aug 13 11:40:04 2022 -0400 - - bumped changelog version - -commit 272a33fe2c3c7666de96f9037094db8e9ab8e09e -Author: Patrick Schleizer -Date: Sat Aug 13 11:35:25 2022 -0400 - - addgroup -> adduser fix - -commit 7d5246693c5c07f76e3f2e29c3ed39d4910673ff -Author: Patrick Schleizer -Date: Fri Aug 12 07:52:26 2022 -0400 - - bumped changelog version - -commit 82da4ed18f5682c0cc76cd435b6de2459c7b5f83 -Author: Patrick Schleizer -Date: Thu Jul 28 09:56:24 2022 -0400 - - comments - -commit a6bee1493d4113ab63f8d0671f97989b00d23544 -Author: Patrick Schleizer -Date: Thu Jul 28 09:55:12 2022 -0400 - - cold-boot-attack-defense wait longer to make messages readable by user - -commit 109594952335f94c2a21f22d6a517ecc8b864d81 -Author: Patrick Schleizer -Date: Tue Jul 26 10:00:53 2022 -0400 - - bumped changelog version - -commit 053142cdb57f23172fd0155dde4ff4c0183c4f65 -Author: Patrick Schleizer -Date: Tue Jul 26 10:00:21 2022 -0400 - - fix - -commit 73f6523e09f12fc56da0ed3555d050686ff441f3 -Author: Patrick Schleizer -Date: Sat Jul 23 08:07:37 2022 -0400 - - bumped changelog version - -commit 0c5b1e9f577d52e2c056e786e32c14ff37db344b -Author: Patrick Schleizer -Date: Sat Jul 23 07:49:56 2022 -0400 - - undo `"force kernel to panic on "oopses"` - - because implemented differently already - - https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 - -commit c1c04b4619eea4c79a0dbb5cced3ebb77482877c -Merge: 465775c9 bfe6b888 -Author: Patrick Schleizer -Date: Sat Jul 23 07:43:19 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit bfe6b888395abf554623a9e530fe7e6605047e12 -Merge: 465775c9 ca764d8d -Author: Patrick Schleizer -Date: Sat Jul 23 07:27:24 2022 -0400 - - Merge pull request #111 from raja-grewal/harden - - Increased kernel hardening at boot - -commit ca764d8de0f17bb7e6d44e3d79ea1805276fc521 -Author: Raja Grewal -Date: Wed Jul 20 04:06:35 2022 +1000 - - force kernel to panic on "oopses" - -commit 1660aaa6dd1013ede105baebbb8ff3e1afc7b268 -Author: Raja Grewal -Date: Tue Jul 19 03:38:41 2022 +1000 - - update details around disabling SMT - -commit bfd78a2c06153ebadfee39190055edf0a13958f4 -Author: Raja Grewal -Date: Tue Jul 19 03:16:08 2022 +1000 - - update SRBDS mitigation - -commit c3ebb9160ffbbd2972cc898e3c1c0055d89beb5c -Author: Raja Grewal -Date: Tue Jul 19 02:33:16 2022 +1000 - - CPU mitigation - MMIO Stale Data - -commit 59e90ff1226bd6330d85244cf7c73ecf7fd5fdf1 -Author: Raja Grewal -Date: Tue Jul 19 02:32:41 2022 +1000 - - CPU mitigation - L1D FLushing - -commit 8531fbf99dea1b4cd806babd6072a8a1f0506eb3 -Author: Raja Grewal -Date: Tue Jul 19 02:30:49 2022 +1000 - - CPU mitigation - SRBDS - -commit 73f1e233327cc0edec83eac322b7f03bcb7fba22 -Author: Raja Grewal -Date: Tue Jul 19 02:29:46 2022 +1000 - - shuffle and rewording - -commit 39314b291263a93fcb11756ce12bd8691a1fa0f6 -Merge: bb831d57 c4a10947 -Author: Raja Grewal -Date: Tue Jul 19 00:49:08 2022 +1000 - - Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden - -commit bb831d57bcdcc8195a4b8169a4ddc25fb0c61173 -Author: Raja Grewal -Date: Tue Jul 19 00:38:32 2022 +1000 - - delete repeated commands - -commit c77a2a78bc48df2af7653a306bd1b046a8f99a6b -Author: Raja Grewal -Date: Tue Jul 19 00:37:31 2022 +1000 - - enforce default net.ipv6.icmp_ignore_bogus_error_responses - -commit c4a10947608b0d5508ef5b18e0ab34a2ee4f35de -Merge: 2b237039 465775c9 -Author: Raja Grewal -Date: Mon Jul 18 13:36:23 2022 +0000 - - Merge branch 'Kicksecure:master' into harden - -commit 465775c9dc1b97c98a5470acaffabb103ea7239f -Author: Patrick Schleizer -Date: Sat Jul 16 08:00:16 2022 -0400 - - bumped changelog version - -commit 1fafb5f53bbec57812f535e79bfb475628cc58e3 -Merge: 24d6a93e 27aa5231 -Author: Patrick Schleizer -Date: Fri Jul 15 08:09:16 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 27aa5231e2d1dafd89ba19c8d6becf461e781605 -Merge: 24d6a93e a72bbb18 -Author: Patrick Schleizer -Date: Fri Jul 15 08:06:08 2022 -0400 - - Merge pull request #112 from raja-grewal/blacklist - - Corrected kernel module disabling - -commit a72bbb1883613ee56be29949c153e0edb2d72a29 -Author: Raja Grewal -Date: Wed Jul 13 23:42:13 2022 +1000 - - Corrected kerenl module disabling - -commit 24d6a93eacf5b41cfb9133471049776a16a07b03 -Author: Patrick Schleizer -Date: Wed Jul 13 08:28:34 2022 -0400 - - bumped changelog version - -commit 2b237039cf1db66100f7f0bb4880981ee0489abf -Author: Raja Grewal -Date: Wed Jul 13 22:25:53 2022 +1000 - - Update README.md - -commit 8f31e5d1d172eb117bde63702f63081da182d5c5 -Merge: 6aa9a947 c410890a -Author: Patrick Schleizer -Date: Wed Jul 13 07:26:58 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit c410890a8ade6d4be13dc99a7003f03ebded8153 -Merge: 6aa9a947 fe0cc108 -Author: Patrick Schleizer -Date: Wed Jul 13 07:24:12 2022 -0400 - - Merge pull request #110 from raja-grewal/master - - Incorporated Ubuntu’s kernel module blacklists and more verbose errors - -commit 4e93b4d37e4c6d23a0ac76ddb2144c6504a66ad1 -Author: Raja Grewal -Date: Wed Jul 13 21:10:39 2022 +1000 - - Revert "enforce defualt net.ipv4.ip_forward" - - This reverts commit 57b5b2145c4e6779f0b879ee4199d46938f20965. - -commit a47922ad28fc9ebba93615a6ffdaaeb4887cc140 -Author: Raja Grewal -Date: Wed Jul 13 04:47:07 2022 +1000 - - enforce of IOMMU TLB invalidation - -commit 33df16af805597057c7aad0d5a4fb135ed9e286b -Author: Raja Grewal -Date: Wed Jul 13 04:37:03 2022 +1000 - - disables random.trust_bootloader - -commit d0779a96fc054df925523a76510c1aae5d672f96 -Author: Raja Grewal -Date: Wed Jul 13 04:36:34 2022 +1000 - - add reference - -commit 74858d257b8de40f082ce21241e680a5eeaf4053 -Author: Raja Grewal -Date: Wed Jul 13 04:34:35 2022 +1000 - - enable randomize_kstack_offset - -commit f572332108c06eb77d24e776910463e69d49acd3 -Author: Raja Grewal -Date: Wed Jul 13 04:32:03 2022 +1000 - - disable slub_debug - -commit 57b5b2145c4e6779f0b879ee4199d46938f20965 -Author: Raja Grewal -Date: Wed Jul 13 04:30:43 2022 +1000 - - enforce defualt net.ipv4.ip_forward - -commit 79156262c9e3fe92344847b627afc64b2c7f7717 -Author: Raja Grewal -Date: Wed Jul 13 04:29:42 2022 +1000 - - enforce default net.ipv4.icmp_ignore_bogus_error_responses - -commit dabcaf22e1006cc60297c55e3e254f080562d552 -Author: Raja Grewal -Date: Wed Jul 13 04:28:03 2022 +1000 - - enforce default kernel.randomize_va_space - -commit fe0cc1089086273794bd6b54df3528ff78c10f6a -Author: Raja Grewal -Date: Tue Jul 12 17:18:47 2022 +1000 - - Updated README.md - -commit 48089e5ba43b0b72449f888b98b63119ed57e2fd -Author: Raja Grewal -Date: Tue Jul 12 17:02:12 2022 +1000 - - More verbose kernel module blocking error logs - -commit 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08 -Author: Raja Grewal -Date: Tue Jul 12 16:58:16 2022 +1000 - - Updated comments - -commit ef1ef9917d896f1cd837f399def6a75704e9bfd2 -Author: Raja Grewal -Date: Sun Jul 10 04:53:25 2022 +1000 - - Blacklist automatic loading of CD-ROM modules - -commit 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc -Author: Raja Grewal -Date: Sun Jul 10 04:52:00 2022 +1000 - - Incorporated Ubuntu’s kernel module blacklists - -commit 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6 -Author: Patrick Schleizer -Date: Sat Jul 9 11:42:24 2022 -0400 - - bumped changelog version - -commit 3b844eaab25fecf90292c88291be77abf0be694c -Author: Patrick Schleizer -Date: Sat Jul 9 11:42:11 2022 -0400 - - output - -commit 73d2c9d921c5c75ef3cca5461acc350c648f26d2 -Author: Patrick Schleizer -Date: Sat Jul 9 11:40:15 2022 -0400 - - output - -commit adfdac6dea0e8f971c59557b383d116cd51619fd -Author: Patrick Schleizer -Date: Sat Jul 9 11:40:01 2022 -0400 - - output - -commit 1df2cfd1add8b2277cb37499ced4fbb713c17668 -Author: Patrick Schleizer -Date: Sat Jul 9 11:38:37 2022 -0400 - - comment - -commit fede41e6e03c33f2f6569f03593f76edb9969e6a -Author: Patrick Schleizer -Date: Sat Jul 9 11:38:04 2022 -0400 - - fix - -commit 52c46e4706d5799d452f260616a3909c9a3bc78f -Merge: 1b8500cc dc41a581 -Author: Patrick Schleizer -Date: Sat Jul 9 11:37:41 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit dc41a58102a114e21209aabeef9ad6b851365898 -Merge: 1b8500cc e5f8004a -Author: Patrick Schleizer -Date: Sat Jul 9 11:37:57 2022 -0400 - - Merge pull request #108 from Krish-sysadmin/master - - Continue for loop if unable to change one directory's permission - -commit 1b8500cc22fdd6a51ec66ae1b04abccb9a529150 -Author: Patrick Schleizer -Date: Thu Jul 7 17:41:13 2022 -0400 - - bumped changelog version - -commit 277749f27b2da8d33b70fb6f88c6757fab77e636 -Author: Patrick Schleizer -Date: Thu Jul 7 15:49:08 2022 -0400 - - genmkfile debinstfile - -commit eb8535fe870e79a5c818a38c414147819d32346d -Author: Patrick Schleizer -Date: Thu Jul 7 15:48:39 2022 -0400 - - renamed: usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc - -commit 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9 -Author: Patrick Schleizer -Date: Thu Jul 7 15:39:40 2022 -0400 - - not blacklist CD-ROM / DVD yet - - https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 - -commit d5c16503411bee4199c35a51226fc59924d6e142 -Author: Patrick Schleizer -Date: Thu Jul 7 15:28:09 2022 -0400 - - shuffle - -commit ca19d78d48ca88f5b00dcceb18ac4803c7893ca4 -Author: Patrick Schleizer -Date: Thu Jul 7 15:27:15 2022 -0400 - - shuffle - -commit d018bdaf73e109a61c0687a171af843c890729e0 -Merge: 1b287a64 780dc8ee -Author: Patrick Schleizer -Date: Thu Jul 7 15:26:08 2022 -0400 - - Merge remote-tracking branch 'raja-gerwal/master' - -commit 780dc8eec99915a7466249e219ad59c5db5f0364 -Author: Raja Grewal -Date: Fri Jul 8 04:11:25 2022 +1000 - - replace /bin/false -> /bin/disabled-by-security-misc - -commit fa2e30f5125e438250acfdc52107a936ecb7b1b4 -Author: Raja Grewal -Date: Fri Jul 8 03:04:37 2022 +1000 - - Updated descriptions of disabled modules - -commit da389d6682f6eb1d0c0172c50a4b529152384415 -Author: Raja Grewal -Date: Fri Jul 8 02:12:04 2022 +1000 - - Revert "replace /bin/false -> /bin/true" - - This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788. - -commit 28381e81d4a57c59929a37745fa8ba5f3e0b25cb -Author: raja-grewal -Date: Thu Jul 7 09:28:30 2022 +0000 - - Update README.md - -commit f0511635a9725f79863c41a7b8d9f8a077ba8788 -Author: raja-grewal -Date: Thu Jul 7 09:27:53 2022 +0000 - - replace /bin/false -> /bin/true - -commit 18d67dbc5309a2403bece92881e671f46dc27f86 -Author: raja-grewal -Date: Thu Jul 7 09:26:55 2022 +0000 - - Blacklist more modules - -commit 1b287a6430527c762f9bf909bcda58ab52041668 -Author: Patrick Schleizer -Date: Tue Jul 5 11:16:33 2022 -0400 - - bumped changelog version - -commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564 -Author: Patrick Schleizer -Date: Tue Jul 5 11:05:36 2022 -0400 - - readme - -commit b8ba6085357631fb1f346a613d7e354aaf780560 -Author: Patrick Schleizer -Date: Tue Jul 5 10:57:28 2022 -0400 - - readme - -commit 949edf3e1753fcd403015c2d0dc8f3503a7f62d2 -Author: Patrick Schleizer -Date: Tue Jul 5 10:48:58 2022 -0400 - - readme - -commit 1c0e0719483c68ce04b5c14159ad09a87c386deb -Author: Patrick Schleizer -Date: Tue Jul 5 10:45:55 2022 -0400 - - comments - -commit 5d47f5f74cc9f5e186de8db5305a44029ebbb362 -Author: Patrick Schleizer -Date: Tue Jul 5 10:45:09 2022 -0400 - - comments - -commit 435c689cf9ee9e94dec42ab3c45bc02beb8f9c40 -Author: Patrick Schleizer -Date: Tue Jul 5 10:44:28 2022 -0400 - - comments - -commit c20d588d7871bce1b8a02d46e6f658844a014572 -Author: Patrick Schleizer -Date: Tue Jul 5 10:42:37 2022 -0400 - - comments - -commit 8f03ce049a1f48bb088cf92f4f39cceb2e3a5ae6 -Author: Patrick Schleizer -Date: Tue Jul 5 10:41:55 2022 -0400 - - readme - -commit b342ce930ea14a365ba23f37642cc9c098470362 -Author: Patrick Schleizer -Date: Tue Jul 5 10:28:22 2022 -0400 - - add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` - -commit e5f8004a9401727f1be2db492ea756bc19090866 -Author: Krish-sysadmin -Date: Tue Jul 5 03:37:40 2022 +0200 - - Update hide-hardware-info - -commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 -Author: Patrick Schleizer -Date: Sat Jul 2 19:10:55 2022 -0400 - - drop_caches before and after sdmem - -commit 67bdd58bf2a8090a29e35b85fb4a25d42a8f8a1a -Author: Patrick Schleizer -Date: Sat Jul 2 19:07:06 2022 -0400 - - sync - -commit 01b82bf0f0b96b3e08e272b8b2e69c1b3f0dcc16 -Author: Patrick Schleizer -Date: Sat Jul 2 18:30:06 2022 -0400 - - bumped changelog version - -commit 973f117aa6a7418ea29125753f6c6b6f7e7986a4 -Author: Patrick Schleizer -Date: Sat Jul 2 18:12:36 2022 -0400 - - wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning - - by running: - `echo 3 > /proc/sys/vm/drop_caches` - - Inspired by Tails: - https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook - -commit e783ddc71e5e528051e1bd0fda3f60decc0af9bf -Author: Patrick Schleizer -Date: Sat Jul 2 17:37:16 2022 -0400 - - bumped changelog version - -commit 95187bd357e6f2f855afbf546da42c6229a8394e -Author: Patrick Schleizer -Date: Sat Jul 2 17:21:33 2022 -0400 - - fix - -commit 3bd87d019fb08644578d2ee73d2ac7185687f115 -Author: Patrick Schleizer -Date: Sat Jul 2 16:03:52 2022 -0400 - - bumped changelog version - -commit 148a050468658c254b67de2de61cad3e147e2178 -Author: Patrick Schleizer -Date: Sat Jul 2 16:03:45 2022 -0400 - - fix - -commit 82e7863d5b1efff2c558204bfdf04812af10660b -Author: Patrick Schleizer -Date: Sat Jul 2 16:02:28 2022 -0400 - - improvement - -commit aebca1b3dce026bbccefa38381e62f30904e5a6d -Author: Patrick Schleizer -Date: Sat Jul 2 15:52:08 2022 -0400 - - bumped changelog version - -commit 1144b39e5efcb318ad92413f623b6f039fd7a5fa -Author: Patrick Schleizer -Date: Sat Jul 2 15:50:59 2022 -0400 - - debugging - -commit c29b21c08a839d8dafe2c9654a58f2b178055935 -Author: Patrick Schleizer -Date: Sat Jul 2 15:45:19 2022 -0400 - - output - -commit ed8ce9a7d0869d62eecea7ffc59c176bec061d08 -Author: Patrick Schleizer -Date: Sat Jul 2 15:32:51 2022 -0400 - - bumped changelog version - -commit d34fe21963442c6025b56209d0ba10479cde09a6 -Author: Patrick Schleizer -Date: Sat Jul 2 15:32:42 2022 -0400 - - fix - -commit 7a448e01a1f2be432c763678742301b64739b920 -Author: Patrick Schleizer -Date: Sat Jul 2 14:27:04 2022 -0400 - - bumped changelog version - -commit 32fdcf522be994e693f39c347ab1063ccd94255b -Author: Patrick Schleizer -Date: Thu Jun 30 14:47:45 2022 -0400 - - - introduce `wiperam=skip` kernel parameter to skip wipe ram - - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs - -commit 036f518ddc067461979f5b61a576b7f74b7c6e65 -Author: Patrick Schleizer -Date: Thu Jun 30 13:56:29 2022 -0400 - - improvement - -commit 0e2fae2b693d6c45344cfdf592bac0adf3338d58 -Author: Patrick Schleizer -Date: Thu Jun 30 13:50:18 2022 -0400 - - skip ram wipe inside VMs - - https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40 - -commit e06405c7be683450e6c6f737171b4f10513254e7 -Author: Patrick Schleizer -Date: Wed Jun 29 16:56:16 2022 -0400 - - undo - -commit 1b97d9cb766b00914769e5add699a8bdbcf1e7aa -Author: Patrick Schleizer -Date: Wed Jun 29 16:30:31 2022 -0400 - - fix - -commit 26be74bfe5c51a8ae41bb736847d3e93e7ae27d7 -Author: Patrick Schleizer -Date: Wed Jun 29 16:25:07 2022 -0400 - - bumped changelog version - -commit 92c543e71ff5386f4458102e1795132399292328 -Author: Patrick Schleizer -Date: Wed Jun 29 16:24:52 2022 -0400 - - output - -commit d4161b2748665ca3b67e5ced5ae576acb93cda46 -Author: Patrick Schleizer -Date: Wed Jun 29 16:23:42 2022 -0400 - - output - -commit 1ce7b27297bce446fb5726eba1cbb0cd3746fa85 -Author: Patrick Schleizer -Date: Wed Jun 29 16:23:12 2022 -0400 - - improvement - -commit aae4fdcffd0e3ed168975bc84db149843ffdfe47 -Author: Patrick Schleizer -Date: Wed Jun 29 16:06:33 2022 -0400 - - bumped changelog version - -commit 8b584c570af5d9ada8083af9bd80f3f992e3dceb -Author: Patrick Schleizer -Date: Wed Jun 29 16:06:22 2022 -0400 - - lintian - -commit a1f752ad00563b61a62a2dd33058365f1b6027de -Author: Patrick Schleizer -Date: Wed Jun 29 16:03:58 2022 -0400 - - bumped changelog version - -commit f5e0c1742abc009b1af95f0d106a5e1cd90d1ef4 -Author: Patrick Schleizer -Date: Wed Jun 29 16:02:05 2022 -0400 - - credits - -commit 42e24f3c241471d91af6f16b74b5bf85dfad85d7 -Author: Patrick Schleizer -Date: Wed Jun 29 15:54:49 2022 -0400 - - update file names - -commit 52aaac9b6d3a9611317e919d78840554bfce9778 -Author: Patrick Schleizer -Date: Wed Jun 29 15:53:52 2022 -0400 - - rename - -commit 619bb3cf4d347c1575c58c74adbbede94d60f79b -Author: Patrick Schleizer -Date: Wed Jun 29 15:53:24 2022 -0400 - - rename - -commit 2a8504cf1bd2a4d7e373bde3f34f6f22e3d5ebc4 -Author: Patrick Schleizer -Date: Wed Jun 29 15:51:14 2022 -0400 - - move - -commit af8b211c238f6fe83db5990dc0984d1c532456ae -Author: Patrick Schleizer -Date: Wed Jun 29 15:50:20 2022 -0400 - - improvements - -commit 0b0cda8f8f2ff1da256473115df37456273cdcdd -Author: Patrick Schleizer -Date: Wed Jun 29 15:24:40 2022 -0400 - - bumped changelog version - -commit e9cd5d934b04f7d06a14616ef52a914198f03b97 -Author: Patrick Schleizer -Date: Wed Jun 29 15:24:27 2022 -0400 - - copyright - -commit 1c51d156494e743c7ad89f76510209a97eef5e45 -Author: Patrick Schleizer -Date: Wed Jun 29 15:23:53 2022 -0400 - - lintian - -commit 4b0cd53fee691f68dd6292869b6f6870bc0b6cbe -Author: Patrick Schleizer -Date: Wed Jun 29 15:22:41 2022 -0400 - - bumped changelog version - -commit 9ab81d45810b71374520603c32812e22685f59cb -Author: Patrick Schleizer -Date: Wed Jun 29 15:22:00 2022 -0400 - - do not power off too fast so wipe ram messages can be read - -commit 19439033de840ed39039f04db7b13f6e168a627e -Author: Patrick Schleizer -Date: Wed Jun 29 15:19:56 2022 -0400 - - copyright - -commit fc202ede16ee41aceeec356ba35ba71cc7fc821d -Author: Patrick Schleizer -Date: Wed Jun 29 15:18:28 2022 -0400 - - delete no longer required `usr/lib/dracut/modules.d/40sdmem-security-misc/README.md` - -commit 6d3a08a9365207923edd2f0b6f8aebdc635d3b33 -Author: Patrick Schleizer -Date: Wed Jun 29 15:17:40 2022 -0400 - - improvements - -commit 87e5f49f8dc72f14e96cc06b924566668991037f -Author: Patrick Schleizer -Date: Wed Jun 29 14:18:02 2022 -0400 - - bumped changelog version - -commit 6eba53767f3af2436fd00b807e71a94dff813dfc -Author: Patrick Schleizer -Date: Wed Jun 29 14:17:52 2022 -0400 - - lintian - -commit 81c15e88afd11d3359ae748d5c43e7bcc8b9a855 -Author: Patrick Schleizer -Date: Wed Jun 29 14:15:48 2022 -0400 - - bumped changelog version - -commit 8a072437cc6478757a8f21f3a6a0ea51a97b978b -Author: Patrick Schleizer -Date: Wed Jun 29 14:13:30 2022 -0400 - - ram wipe on shutdown: fix, added `need_shutdown` hook - - Otherwise dracut does not run on shutdown. - - Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created. - And without that file `/usr/lib/dracut/dracut-initramfs-restore`, - which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing. - -commit 4d937f551f6cccf40f933576a7fa210066f1fc8a -Author: Patrick Schleizer -Date: Wed Jun 29 13:03:35 2022 -0400 - - bumped changelog version - -commit 924077e04cd0d5b06a410b2a9289047286500e8a -Author: Patrick Schleizer -Date: Wed Jun 29 13:02:53 2022 -0400 - - verbose - -commit db301dfd7feb07799a00871f0e1f8fdccef0b777 -Author: Patrick Schleizer -Date: Wed Jun 29 13:02:39 2022 -0400 - - comment - -commit 73d2ada0deb98064979ea1feedb01c6312c4b4d5 -Author: Patrick Schleizer -Date: Wed Jun 29 13:02:01 2022 -0400 - - comment - -commit 67eaf8c9167da545189390b6f0f58b0b5b20976c -Author: Patrick Schleizer -Date: Wed Jun 29 11:40:38 2022 -0400 - - comments - -commit 72908d6b0dd65d6c9691977047b2bfdaa16ba147 -Author: Patrick Schleizer -Date: Wed Jun 29 11:34:55 2022 -0400 - - comments - -commit 43ea4dbb8363c511270fd704b138633da9ad088a -Author: Patrick Schleizer -Date: Wed Jun 29 11:18:59 2022 -0400 - - bumped changelog version - -commit 295811a88f9505687447ebf605fa108bc795da46 -Author: Patrick Schleizer -Date: Wed Jun 29 11:14:52 2022 -0400 - - improvements - -commit e5d85d69efefdfcee63c8c7d4ced1ed1bf1aeee7 -Author: Patrick Schleizer -Date: Wed Jun 29 10:02:18 2022 -0400 - - bumped changelog version - -commit af8ff65f8404ac1d423ad3c28342d8fe7bc3a018 -Author: Patrick Schleizer -Date: Wed Jun 29 10:01:51 2022 -0400 - - comment - -commit cfae7de6a842b77e50f9e6f5cb1eed0eac63ff2f -Author: Patrick Schleizer -Date: Wed Jun 29 09:58:37 2022 -0400 - - lintian - -commit 83519a58c7c1eccee7544fbc3ec0cf67bda976a7 -Author: Patrick Schleizer -Date: Wed Jun 29 09:54:27 2022 -0400 - - bumped changelog version - -commit 024d52a67ebb6028d5df890e469fec5dc42be00a -Author: Patrick Schleizer -Date: Wed Jun 29 09:52:53 2022 -0400 - - improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh - -commit 29253004b6be7c7d2b3fce6cceff2df3e845f15a -Author: Patrick Schleizer -Date: Wed Jun 29 09:38:18 2022 -0400 - - minor - -commit 6f19af1542d3b6d2d6af89136ce909f7f7335ff1 -Author: Patrick Schleizer -Date: Wed Jun 29 09:35:08 2022 -0400 - - add shebang /bin/sh - - to fix lintian warning - security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh - -commit 38cdf2722bc0aa224e1ec253e77728d4e00b9be0 -Author: Patrick Schleizer -Date: Wed Jun 29 09:32:55 2022 -0400 - - - Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks - - Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) - - Thanks to @friedy10! - - https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem - - https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 - -commit adca1ebdf6c83c5c1c846cdb29f3e16ea9cdf32f -Author: Patrick Schleizer -Date: Wed Jun 8 11:05:07 2022 -0400 - - bumped changelog version - -commit d7dd188651a5227be6b1d95e7ae9a97e0cbb34f0 -Author: Patrick Schleizer -Date: Wed Jun 8 09:27:02 2022 -0400 - - remove unicode - -commit 55d16e1602c0221dbe00996a206d0691ef93ae71 -Author: Patrick Schleizer -Date: Wed Jun 8 09:04:03 2022 -0400 - - remove unicode - -commit fcaec49675ce7e240bdd049aab184fbee0945c7d -Merge: 5c43197f 995e4ba7 -Author: Patrick Schleizer -Date: Wed Jun 8 08:20:24 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 995e4ba7fafc1bf4f691b83dde415c57cebed63d -Merge: 616fe857 6e8f584d -Author: Patrick Schleizer -Date: Wed Jun 8 08:19:03 2022 -0400 - - Merge pull request #104 from ntninja/patch-1 - - Fix issues found with permission-hardening on my system - -commit 5c43197f10df3a49704a66ef3e3d56f122be4775 -Author: Patrick Schleizer -Date: Wed Jun 8 08:11:28 2022 -0400 - - minor - -commit 6e8f584d88333d3a6fec1318ba92f76e328bf7ce -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Wed Jun 8 05:29:42 2022 +0000 - - permission-hardening: Keep `pam_unix.so` password checking helper SetGID shadow - -commit 2bdda9d0a0a289dafb260c926d29df274c9a67da -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Tue Jun 7 08:18:05 2022 +0000 - - permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug) - -commit 3910e4ee159d8b5f80c5086915583e4e20ecd6fe -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Tue Jun 7 08:11:51 2022 +0000 - - permission-hardening: Keep `passwd` executable but non-SetUID - -commit 9fd8e1c9b0250c9e00b555838bd381f162dfd8c4 -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Tue Jun 7 08:03:56 2022 +0000 - - permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results - -commit 616fe857f7a5cde1f4ad0d31e03876dcd2ab7f0f -Author: Patrick Schleizer -Date: Wed May 25 06:07:17 2022 -0400 - - bumped changelog version - -commit 7e2efe0155b97955428e64181c9a6b32402ee9db -Author: Patrick Schleizer -Date: Fri May 20 15:27:10 2022 -0400 - - readme - -commit 2d37e3a1af3739eedd9191a0f0c78a2762c5fa38 -Author: Patrick Schleizer -Date: Fri May 20 14:46:38 2022 -0400 - - copyright - -commit 78a9956b73498bad471ee1cb0fa0993f2e5ce3c0 -Merge: 4a3ed171 76513087 -Author: Patrick Schleizer -Date: Thu May 19 19:41:33 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 76513087872943442df32451de5af158c2bbe944 -Merge: 4a3ed171 93efa506 -Author: Patrick Schleizer -Date: Thu May 19 19:39:42 2022 -0400 - - Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions - - hide-hardware-info: re-enable restrictions on sysfs when using SELinux - -commit 4a3ed17160c14ba7122d770665b53bde96038307 -Author: Patrick Schleizer -Date: Thu May 19 17:25:58 2022 -0400 - - readme - -commit bb0307290b59d0273f9ad585e881c91071e3edea -Author: Patrick Schleizer -Date: Sat Apr 16 14:18:35 2022 -0400 - - update link - -commit 2677db34baeb120a402b684d4a62ccf616b5528c -Author: Patrick Schleizer -Date: Sun Apr 10 12:40:16 2022 -0400 - - readme - -commit 93efa506dac6135f1a5c260ec95d985e7fedc53d -Author: 0xC0ncord -Date: Thu Mar 17 11:41:57 2022 -0400 - - hide-hardware-info: disable selinux whitelist by default - -commit 0051a6935acd2f452a9189d1581ccac7377dd23d -Author: Patrick Schleizer -Date: Thu Feb 10 14:06:54 2022 -0500 - - bumped changelog version - -commit b0a0004a85387a4f7520a688f6d2a9826d8e68fb -Author: Patrick Schleizer -Date: Thu Feb 10 13:47:10 2022 -0500 - - output - -commit 4f6f588fb53d2756d867ac7e29fb42f4f8fdb335 -Author: Patrick Schleizer -Date: Thu Feb 10 13:44:55 2022 -0500 - - fix, skip deletion of system.map files on read-only filesystems - - This is required for Qubes /lib/modules read-only implementation at time of writing. - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324 - -commit 356232677a036cd1a673d805caa4d74a327ea096 -Author: Patrick Schleizer -Date: Tue Nov 9 14:32:33 2021 -0500 - - readme - -commit 4172232eb75aaca301e51529e49df76ca86b93b3 -Author: 0xC0ncord -Date: Fri Oct 8 22:17:12 2021 -0400 - - hide-hardware-info: make indentation consistent - -commit 060d7d890a0292addaa1e85bb1b2ff7eece23378 -Author: 0xC0ncord -Date: Fri Oct 8 22:11:58 2021 -0400 - - hide-hardware-info: re-enable restrictions on sysfs when using SELinux - - When using SELinux, restrict the parts of sysfs explicitly to ensure - restrictions are working as expected. - -commit 96026a5e90a56cade2dff5f3dfc3687687e92c56 -Author: Patrick Schleizer -Date: Tue Sep 14 14:18:52 2021 -0400 - - bumped changelog version - -commit c72567dbd215fcd60c4719fe1ebc9a0f350a2b97 -Author: Patrick Schleizer -Date: Tue Sep 14 14:18:44 2021 -0400 - - fix - -commit 03276fbec502df9e9fc228a0c05f3c85fd1483af -Author: Patrick Schleizer -Date: Sun Sep 12 11:57:20 2021 -0400 - - bumped changelog version - -commit d62bbaab82a33a485a82d42d8db5674d200a1c3d -Author: Patrick Schleizer -Date: Sun Sep 12 11:40:58 2021 -0400 - - fix, unduplicate kernel command line - -commit fb0540650c26689165b2fd0558b87ef7c3154a6e -Author: Patrick Schleizer -Date: Sat Sep 11 16:33:14 2021 -0400 - - readme - -commit 64e9f0016aa5804740a099890a5ef648dde07883 -Author: Patrick Schleizer -Date: Thu Sep 9 12:35:37 2021 -0400 - - bumped changelog version - -commit bd31b4085c853d8b182e3a13534827a695f5493a -Author: Patrick Schleizer -Date: Thu Sep 9 12:16:18 2021 -0400 - - remove Debian buster support in /etc/default/grub.d - -commit d16d9a545502af1ec25a165a27bdbc1033b97d59 -Author: Patrick Schleizer -Date: Mon Sep 6 09:46:20 2021 -0400 - - bumped changelog version - -commit ac0c492663b9d90f99e5969193b35b53d4175d1d -Author: Patrick Schleizer -Date: Mon Sep 6 08:22:55 2021 -0400 - - do not set kernel parameter `quiet loglevel=0` for recovery boot option - - for easier debugging - -commit 49902b8c56512c3ee8b3d16b0ca513e44349c66d -Author: Patrick Schleizer -Date: Mon Sep 6 08:19:41 2021 -0400 - - move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg - -commit bb3a3178f17d1b882f38ba18db7835833f758805 -Author: Patrick Schleizer -Date: Mon Sep 6 04:55:23 2021 -0400 - - bumped changelog version - -commit f5b0e4b5b856ba6fa0dea7fa18c38221d972e8a3 -Author: Patrick Schleizer -Date: Mon Sep 6 04:55:16 2021 -0400 - - debugging - -commit a67d1754d459a221930cb92754b51bec348f8035 -Author: Patrick Schleizer -Date: Sun Sep 5 16:04:28 2021 -0400 - - bumped changelog version - commit 6257bfa926f960b3b772dd528fe6004f81d990ea Author: Patrick Schleizer Date: Sun Sep 5 15:54:20 2021 -0400 @@ -12207,14 +275,14 @@ Date: Mon Jun 7 12:13:37 2021 -0400 bumped changelog version commit 30d1ce36af7835d47e0b53af475f3a7e99617b77 -Merge: 0305baf2 70a1eb25 +Merge: 0305baf 70a1eb2 Author: Patrick Schleizer Date: Mon Jun 7 12:11:58 2021 -0400 Merge remote-tracking branch 'github-whonix/master' commit 70a1eb25a5976e0461056ff2c56bd82ab5df6c2c -Merge: 0305baf2 97d8db3f +Merge: 0305baf 97d8db3 Author: Patrick Schleizer Date: Sat Jun 5 15:55:41 2021 -0400 @@ -12331,14 +399,14 @@ Date: Mon Mar 1 09:15:44 2021 -0500 comment commit 3382192b89de3891d45261f138652bdb48c5674b -Merge: 7f30d702 2e8e3c07 +Merge: 7f30d70 2e8e3c0 Author: Patrick Schleizer Date: Mon Mar 1 09:12:18 2021 -0500 Merge remote-tracking branch 'github/master' commit 2e8e3c07c4dda7f8500237dfa7a1d2bc7aecef5d -Merge: 7f30d702 4db7d6be +Merge: 7f30d70 4db7d6b Author: Patrick Schleizer Date: Mon Mar 1 14:11:28 2021 +0000 @@ -12464,14 +532,14 @@ Date: Tue Jan 12 03:19:31 2021 -0500 new file: README_generic.md commit 94627f0875e69c9314faab8b0dc2dbe22af5c88f -Merge: 353e74fb 79876f7b +Merge: 353e74f 79876f7 Author: Patrick Schleizer Date: Tue Jan 12 03:18:41 2021 -0500 Merge remote-tracking branch 'github/master' commit 79876f7b1261006885a713dbfda97609c8e81f3f -Merge: 353e74fb 3066b5ad +Merge: 353e74f 3066b5a Author: Patrick Schleizer Date: Tue Jan 12 08:17:04 2021 +0000 @@ -12689,14 +757,14 @@ Date: Mon Oct 5 07:03:37 2020 -0400 bumped changelog version commit 3adb2c92d9551f649b177753fede18da3cc4b0eb -Merge: feb7cea4 58560138 +Merge: feb7cea 5856013 Author: Patrick Schleizer Date: Sat Oct 3 14:10:32 2020 -0400 Merge remote-tracking branch 'github/master' commit 58560138cdc36fa5f6142f75f0fed53bcad96363 -Merge: feb7cea4 06ffd5d2 +Merge: feb7cea 06ffd5d Author: Patrick Schleizer Date: Sat Oct 3 18:09:07 2020 +0000 @@ -12733,14 +801,14 @@ Date: Mon Sep 28 10:25:57 2020 -0400 https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068 commit 77d461ec08ffdf0eb6a5d124927d9f9748c0dd3c -Merge: 5fc7b791 3684ab58 +Merge: 5fc7b79 3684ab5 Author: Patrick Schleizer Date: Mon Sep 28 10:24:59 2020 -0400 Merge remote-tracking branch 'github/master' commit 3684ab585eeab46ff17a1d410ce1bcff1a63968c -Merge: ae90107e a813e7da +Merge: ae90107 a813e7d Author: Patrick Schleizer Date: Mon Sep 28 14:24:15 2020 +0000 @@ -12749,7 +817,7 @@ Date: Mon Sep 28 14:24:15 2020 +0000 Blacklist more modules (based on OpenSCAP for RHEL 8) commit ae90107e6df4d312a6734985df38b8533d1283c8 -Merge: 5fc7b791 8f7727e8 +Merge: 5fc7b79 8f7727e Author: Patrick Schleizer Date: Mon Sep 28 14:23:42 2020 +0000 @@ -12770,14 +838,14 @@ Date: Sat Sep 19 09:28:27 2020 -0400 bumped changelog version commit bff6ce7abb920d55edc49b19340a1e9251a4cd8c -Merge: 98c0deca 9239c8b8 +Merge: 98c0dec 9239c8b Author: Patrick Schleizer Date: Sat Sep 19 06:54:50 2020 -0400 Merge remote-tracking branch 'github/master' commit 9239c8b8074018090d4fa1381aa06e66a99359cc -Merge: 98c0deca 8dfdec1d +Merge: 98c0dec 8dfdec1 Author: Patrick Schleizer Date: Sat Sep 19 10:54:21 2020 +0000 @@ -13209,14 +1277,14 @@ Date: Sat Mar 21 14:12:42 2020 -0400 remove trailing space commit 7c25fc517e6f42d4364a55407f6bf0c84d130c8e -Merge: 20f0c574 1cbc7f6b +Merge: 20f0c57 1cbc7f6 Author: Patrick Schleizer Date: Sat Mar 21 14:12:25 2020 -0400 Merge remote-tracking branch 'origin/master' commit 1cbc7f6bed8acc112b610e05f527cffc6e9e1e87 -Merge: 20f0c574 89ada11c +Merge: 20f0c57 89ada11 Author: Patrick Schleizer Date: Sat Mar 21 18:11:57 2020 +0000 @@ -13231,14 +1299,14 @@ Date: Sat Mar 21 17:49:07 2020 +0000 Only remount if already mounted read-only commit 20f0c574d5424c78ab6b4d3829a6662615967ba5 -Merge: e4118cb2 2938182c +Merge: e4118cb 2938182 Author: Patrick Schleizer Date: Sat Mar 21 13:28:43 2020 -0400 Merge remote-tracking branch 'origin/master' commit 2938182ce6303e6e55086e2e9e82f8263a3c8e76 -Merge: e4118cb2 c8826d67 +Merge: e4118cb c8826d6 Author: Patrick Schleizer Date: Sat Mar 21 17:26:37 2020 +0000 @@ -13267,14 +1335,14 @@ Date: Thu Mar 12 04:43:08 2020 -0400 bumped changelog version commit e6e7886a6e3dca1a75943c5a04c4d29ab8682cec -Merge: 04a87f70 711e786b +Merge: 04a87f7 711e786 Author: Patrick Schleizer Date: Wed Mar 11 09:08:41 2020 -0400 Merge remote-tracking branch 'origin/master' commit 711e786be504179c832172acb39d567b323520e6 -Merge: 04a87f70 4d0de87f +Merge: 04a87f7 4d0de87 Author: Patrick Schleizer Date: Wed Mar 11 13:06:23 2020 +0000 @@ -13369,14 +1437,14 @@ Date: Tue Mar 3 09:07:42 2020 -0500 readme commit 63c6405ab74f0dd5f3ec3838135b29304a3d1fc8 -Merge: e3e39f22 453aa8a4 +Merge: e3e39f2 453aa8a Author: Patrick Schleizer Date: Sat Feb 29 07:34:46 2020 -0500 Merge remote-tracking branch 'origin/master' commit 453aa8a4eb76fe56ad67f1aea8abfeb122e68a9c -Merge: e3e39f22 60fbf8b0 +Merge: e3e39f2 60fbf8b Author: Patrick Schleizer Date: Sat Feb 29 12:28:32 2020 +0000 @@ -13385,7 +1453,7 @@ Date: Sat Feb 29 12:28:32 2020 +0000 Restrict the userfaultfd() syscall to root commit e3e39f22354595c9f21c243d7bdadc1487374db8 -Merge: 649ec5df bd7678c5 +Merge: 649ec5d bd7678c Author: Patrick Schleizer Date: Sat Feb 29 05:01:41 2020 -0500 @@ -13415,7 +1483,7 @@ Date: Sat Feb 29 04:59:02 2020 -0500 description commit bd7678c574819298b364185fe7e3362c7e8d4930 -Merge: d04d4bf0 42d3b986 +Merge: d04d4bf 42d3b98 Author: Patrick Schleizer Date: Fri Feb 28 12:04:05 2020 +0000 @@ -13460,14 +1528,14 @@ Date: Mon Feb 24 18:23:15 2020 +0000 Restrict the userfaultfd() syscall to root commit 221000db5b184664c09dfe9cb7055de45331a7e1 -Merge: 01eaee99 c7f25379 +Merge: 01eaee9 c7f2537 Author: Patrick Schleizer Date: Mon Feb 17 03:17:11 2020 -0500 Merge remote-tracking branch 'origin/master' commit c7f2537930925e3ec250db81791a107af003079b -Merge: 01eaee99 8ea4e50c +Merge: 01eaee9 8ea4e50 Author: Patrick Schleizer Date: Mon Feb 17 08:16:34 2020 +0000 @@ -13494,7 +1562,7 @@ Date: Sat Feb 15 15:35:44 2020 -0500 bumped changelog version commit 412a83923dd09f36a25ebf9ce1991369d09c5e34 -Merge: dce54d5d 4399a512 +Merge: dce54d5 4399a51 Author: Patrick Schleizer Date: Sat Feb 15 15:30:32 2020 -0500 @@ -13513,7 +1581,7 @@ Date: Sat Feb 15 15:28:30 2020 -0500 readme commit 4399a512bef77ddec428bd4150cacebb77fc22da -Merge: 757df8fc a79ce7fa +Merge: 757df8f a79ce7f Author: Patrick Schleizer Date: Sat Feb 15 19:43:05 2020 +0000 @@ -13528,14 +1596,14 @@ Date: Sat Feb 15 17:30:21 2020 +0000 Document ldisc_autoload better commit 757df8fceb29d9b6143cf26e73cb31dde69d0a71 -Merge: 9bbae903 a9a15817 +Merge: 9bbae90 a9a1581 Author: Patrick Schleizer Date: Sat Feb 15 05:43:43 2020 -0500 Merge remote-tracking branch 'origin/master' commit a9a1581720739966e94f18be556552e9d75d63b1 -Merge: 9bbae903 1e5946c7 +Merge: 9bbae90 1e5946c Author: Patrick Schleizer Date: Sat Feb 15 10:42:20 2020 +0000 @@ -13544,7 +1612,7 @@ Date: Sat Feb 15 10:42:20 2020 +0000 Restrict the SysRq key commit 1e5946c795e3962fdc2229146b9331d36a1d6c41 -Merge: 0f497369 9bbae903 +Merge: 0f49736 9bbae90 Author: Patrick Schleizer Date: Sat Feb 15 10:41:52 2020 +0000 @@ -13557,14 +1625,14 @@ Date: Sat Feb 15 05:29:48 2020 -0500 remove-system.map: lower verbosity output commit cce35e5109489df44916a08722d9016bb1e578ec -Merge: 14140ad4 e4035179 +Merge: 14140ad e403517 Author: Patrick Schleizer Date: Sat Feb 15 05:27:52 2020 -0500 Merge remote-tracking branch 'origin/master' commit e40351796e297673e1ec45dee7483079e96d9639 -Merge: 5124f8ce 31009f0b +Merge: 5124f8c 31009f0 Author: Patrick Schleizer Date: Sat Feb 15 10:25:15 2020 +0000 @@ -13573,7 +1641,7 @@ Date: Sat Feb 15 10:25:15 2020 +0000 Shred System.map files commit 5124f8cebcf6113547d11fc5193f83af1a2b6f84 -Merge: ac8757a0 9b767139 +Merge: ac8757a 9b76713 Author: Patrick Schleizer Date: Sat Feb 15 10:18:56 2020 +0000 @@ -13582,7 +1650,7 @@ Date: Sat Feb 15 10:18:56 2020 +0000 Avoid holes in IOMMU commit ac8757a031a02c6cbad564e6a857954c0cf01a54 -Merge: ad6b7668 ace62111 +Merge: ad6b766 ace6211 Author: Patrick Schleizer Date: Sat Feb 15 10:09:46 2020 +0000 @@ -13627,7 +1695,7 @@ Date: Fri Feb 14 17:50:19 2020 +0000 Restrict loading line disciplines to CAP_SYS_MODULE commit ad6b76688677cd4f9f0b2f2524c0f6b0a381bf29 -Merge: 14140ad4 14f84583 +Merge: 14140ad 14f8458 Author: Patrick Schleizer Date: Thu Feb 13 18:40:58 2020 +0000 @@ -13648,14 +1716,14 @@ Date: Thu Feb 13 13:38:21 2020 -0500 readme commit 76a51a3b45113b4f771397bf32daae3fb38af6a6 -Merge: 163e20b8 5ebab397 +Merge: 163e20b 5ebab39 Author: Patrick Schleizer Date: Thu Feb 13 13:37:34 2020 -0500 Merge remote-tracking branch 'origin/master' commit 5ebab397b201f431e3d0ca3bebfb71fa61a7ed2b -Merge: 163e20b8 2796c2dd +Merge: 163e20b 2796c2d Author: Patrick Schleizer Date: Thu Feb 13 18:36:41 2020 +0000 @@ -13700,14 +1768,14 @@ Date: Wed Feb 5 06:31:48 2020 -0500 bumped changelog version commit 3024006f63be34f0c9d2968b1839a855419792dd -Merge: 8c5cd865 024576e3 +Merge: 8c5cd86 024576e Author: Patrick Schleizer Date: Tue Feb 4 00:24:50 2020 -0500 Merge remote-tracking branch 'origin/master' commit 024576e3307e45c90b97ed8658ee82ceb1ed00aa -Merge: 8c5cd865 e4c6e897 +Merge: 8c5cd86 e4c6e89 Author: Patrick Schleizer Date: Tue Feb 4 05:24:05 2020 +0000 @@ -13972,14 +2040,14 @@ Date: Wed Jan 15 15:54:06 2020 -0500 error handling commit 7211f6e0199d2ccb50437c7a5b0842050590b5dc -Merge: e110ea0b f6cc76ac +Merge: e110ea0 f6cc76a Author: Patrick Schleizer Date: Wed Jan 15 15:53:36 2020 -0500 Merge remote-tracking branch 'origin/master' commit f6cc76acd729428f83d3497a2e83bfc4b14f1ff8 -Merge: e110ea0b 1df48a22 +Merge: e110ea0 1df48a2 Author: Patrick Schleizer Date: Wed Jan 15 20:52:33 2020 +0000 @@ -14030,14 +2098,14 @@ Date: Wed Jan 15 10:08:57 2020 -0500 readme commit 8ab4623f8e81ad1b67858b458f2ae4085e7c8e65 -Merge: 80159545 087465a0 +Merge: 8015954 087465a Author: Patrick Schleizer Date: Wed Jan 15 06:06:39 2020 -0500 Merge remote-tracking branch 'origin/master' commit 087465a0cdecc4765f7b659256cdd5e8cdef73ab -Merge: 80159545 528c5fc4 +Merge: 8015954 528c5fc Author: Patrick Schleizer Date: Wed Jan 15 11:02:30 2020 +0000 @@ -14046,7 +2114,7 @@ Date: Wed Jan 15 11:02:30 2020 +0000 Set sysctl values in initramfs commit 528c5fc4c41026396a63ac91af7c156dd0d4f191 -Merge: 9dc43eae 80159545 +Merge: 9dc43ea 8015954 Author: Patrick Schleizer Date: Wed Jan 15 11:02:03 2020 +0000 @@ -14113,14 +2181,14 @@ Date: Tue Jan 14 09:18:30 2020 -0500 readme commit c377c5ff83437a5447ecc9c873150421f4f1e691 -Merge: 8341242a 539f24b6 +Merge: 8341242 539f24b Author: Patrick Schleizer Date: Tue Jan 14 09:01:38 2020 -0500 Merge remote-tracking branch 'origin/master' commit 539f24b65ee7739487d8038fcb1fdfb1ed62ab22 -Merge: 8341242a 0953bbe1 +Merge: 8341242 0953bbe Author: Patrick Schleizer Date: Tue Jan 14 14:01:17 2020 +0000 @@ -14165,14 +2233,14 @@ Date: Sat Jan 11 15:15:12 2020 -0500 lintian commit 3fae8e771ffbdd3023921b296e46cf982034d2ac -Merge: 13a1e132 e9f4dbdd +Merge: 13a1e13 e9f4dbd Author: Patrick Schleizer Date: Sat Jan 11 15:14:43 2020 -0500 Merge remote-tracking branch 'origin/master' commit e9f4dbdda579db83f330054253100bc7c5d1e2be -Merge: 13a1e132 6088444c +Merge: 13a1e13 6088444 Author: Patrick Schleizer Date: Sat Jan 11 20:14:10 2020 +0000 @@ -14411,14 +2479,14 @@ Date: Tue Dec 24 06:00:41 2019 -0500 no longer hardcode amd64 commit d03a3d9ac03bc29ba349107855936dd194e12271 -Merge: 9d77d88a 27a42a9d +Merge: 9d77d88 27a42a9 Author: Patrick Schleizer Date: Tue Dec 24 05:57:24 2019 -0500 Merge remote-tracking branch 'origin/master' commit 27a42a9da82bc1f22135ffa509925f63177f25d9 -Merge: ac49c55d 79241c5d +Merge: ac49c55 79241c5 Author: Patrick Schleizer Date: Tue Dec 24 10:55:11 2019 +0000 @@ -14427,7 +2495,7 @@ Date: Tue Dec 24 10:55:11 2019 +0000 Make /lib/modules unreadable commit ac49c55d1fafff5f36bd7c595f50db295ff616a2 -Merge: 0c3d4ad2 98e88d14 +Merge: 0c3d4ad 98e88d1 Author: Patrick Schleizer Date: Tue Dec 24 10:55:03 2019 +0000 @@ -14436,7 +2504,7 @@ Date: Tue Dec 24 10:55:03 2019 +0000 Detect kernel upgrades commit 0c3d4ad255de75b57a2e316bf8a7fd77a2fc0d4d -Merge: 9d77d88a d1a0650f +Merge: 9d77d88 d1a0650 Author: Patrick Schleizer Date: Tue Dec 24 10:54:23 2019 +0000 @@ -14517,7 +2585,7 @@ Date: Mon Dec 23 03:38:49 2019 -0500 description: lockdown not enabled yet commit b05669accfe6fac8070003bbd57939ca2c621445 -Merge: 11b4192f 1ff51ee0 +Merge: 11b4192 1ff51ee Author: Patrick Schleizer Date: Mon Dec 23 03:38:04 2019 -0500 @@ -14730,14 +2798,14 @@ Date: Sun Dec 22 18:56:36 2019 -0500 /lib/x86_64-linux-gnu/utempter/utempter commit 9409209b48fb8f803b88d72c0e7febaa74f5bd2c -Merge: 008ce481 bce02ffd +Merge: 008ce48 bce02ff Author: Patrick Schleizer Date: Sun Dec 22 10:29:08 2019 -0500 Merge remote-tracking branch 'origin/master' commit bce02ffdc01c22c8d5528eb5eaa7729a6b3137dd -Merge: 008ce481 8f11a520 +Merge: 008ce48 8f11a52 Author: Patrick Schleizer Date: Sun Dec 22 15:26:07 2019 +0000 @@ -14796,14 +2864,14 @@ Date: Sat Dec 21 14:06:10 2019 -0500 https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 commit 10c19d6a8fc6b6bc03067dc3be88f486aa78d438 -Merge: b2260f48 fffdf509 +Merge: b2260f4 fffdf50 Author: Patrick Schleizer Date: Sat Dec 21 13:00:41 2019 -0500 Merge remote-tracking branch 'origin/master' commit fffdf5090c707c698de4adacfd5837809b33aa99 -Merge: 1c99b56c f5a52aed +Merge: 1c99b56 f5a52ae Author: Patrick Schleizer Date: Sat Dec 21 17:59:56 2019 +0000 @@ -14895,14 +2963,14 @@ Date: Sat Dec 21 06:58:01 2019 -0500 https://github.com/Whonix/security-misc/pull/45 commit 2350e0f5d06d9625835ba1547aab0054b795c0c5 -Merge: 3ea58718 efd65a3f +Merge: 3ea5871 efd65a3 Author: Patrick Schleizer Date: Sat Dec 21 06:57:10 2019 -0500 Merge remote-tracking branch 'origin/master' commit efd65a3f15fc9380e2019c9d7ad0bf82adcc230d -Merge: c336bc4f c28ddf5c +Merge: c336bc4 c28ddf5 Author: Patrick Schleizer Date: Sat Dec 21 11:56:31 2019 +0000 @@ -15885,14 +3953,14 @@ Date: Fri Dec 20 01:31:37 2019 -0500 refactoring commit c5d1e9dda7059d18fad303128f6f09c98fe955b7 -Merge: 62eb4629 a20b3001 +Merge: 62eb462 a20b300 Author: Patrick Schleizer Date: Fri Dec 20 01:30:31 2019 -0500 Merge remote-tracking branch 'origin/master' commit a20b30013f9ae229d1fe86cc5992aac474a9d8e6 -Merge: 62eb4629 9df74072 +Merge: 62eb462 9df7407 Author: Patrick Schleizer Date: Fri Dec 20 06:29:58 2019 +0000 @@ -16047,14 +4115,14 @@ Date: Mon Dec 9 02:22:16 2019 -0500 quotes commit 9bea9960173cf06dcbc0aefa2fb3b10df1f84c69 -Merge: 6f944234 af62da34 +Merge: 6f94423 af62da3 Author: Patrick Schleizer Date: Mon Dec 9 02:21:47 2019 -0500 Merge remote-tracking branch 'origin/master' commit af62da34457a56fee43a6003036a3bb387b23b32 -Merge: 6f944234 d7e2deae +Merge: 6f94423 d7e2dea Author: Patrick Schleizer Date: Sun Dec 8 20:45:16 2019 +0000 @@ -16297,14 +4365,14 @@ Date: Sun Dec 8 01:30:42 2019 -0500 description commit 491dd4d93d133ca23eaf5c501b7ab3d3bbf52a27 -Merge: 9432d163 a78a7e55 +Merge: 9432d16 a78a7e5 Author: Patrick Schleizer Date: Sun Dec 8 01:22:16 2019 -0500 Merge remote-tracking branch 'origin/master' commit a78a7e5571b178cbf4cddd065306d130431bc185 -Merge: 373e8733 6846a943 +Merge: 373e873 6846a94 Author: Patrick Schleizer Date: Sun Dec 8 06:21:44 2019 +0000 @@ -16325,14 +4393,14 @@ Date: Sat Dec 7 12:13:42 2019 -0500 /usr/bin/cat mrix, commit 373e8733d37cb795c7c48642346b0b6dc6dce30c -Merge: c1800b13 447eb144 +Merge: c1800b1 447eb14 Author: Patrick Schleizer Date: Sat Dec 7 11:34:42 2019 -0500 Merge remote-tracking branch 'origin/master' commit 447eb144325a532b0aaf7ce772d5a04005b2af1f -Merge: c1800b13 668b6420 +Merge: c1800b1 668b642 Author: Patrick Schleizer Date: Sat Dec 7 16:34:21 2019 +0000 @@ -16562,14 +4630,14 @@ Date: Thu Dec 5 15:52:24 2019 -0500 comment commit 19add3299c9215d05208e3c2e748527bf87e66b5 -Merge: 0c25a96b 96792928 +Merge: 0c25a96 9679292 Author: Patrick Schleizer Date: Thu Dec 5 15:46:19 2019 -0500 Merge remote-tracking branch 'origin/master' commit 96792928787c1c129a964bd81e97450d2edb29a6 -Merge: 0c25a96b af9e19c5 +Merge: 0c25a96 af9e19c Author: Patrick Schleizer Date: Thu Dec 5 20:33:47 2019 +0000 @@ -16596,14 +4664,14 @@ Date: Tue Dec 3 02:18:32 2019 -0500 description / comments commit d26ba05c4776cdff0750b872f3da70fd25fca1f4 -Merge: 6ca48fff 73c6410a +Merge: 6ca48ff 73c6410 Author: Patrick Schleizer Date: Tue Dec 3 01:52:04 2019 -0500 Merge remote-tracking branch 'origin/master' commit 73c6410a0e1e6e56529ba8ea98681867bd8acb37 -Merge: 6ca48fff 8d63da3c +Merge: 6ca48ff 8d63da3 Author: Patrick Schleizer Date: Tue Dec 3 06:51:31 2019 +0000 @@ -16664,14 +4732,14 @@ Date: Wed Nov 27 10:22:31 2019 -0500 https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11 commit 62b924eea7d50f58649e089ff9cf8d73075cac63 -Merge: 9091f69e ba02dcb2 +Merge: 9091f69 ba02dcb Author: Patrick Schleizer Date: Tue Nov 26 13:00:36 2019 -0500 Merge remote-tracking branch 'origin/master' commit ba02dcb267a95d332bd01bb3fc725e051ccb3246 -Merge: 9091f69e d9d6d077 +Merge: 9091f69 d9d6d07 Author: Patrick Schleizer Date: Tue Nov 26 18:00:11 2019 +0000 @@ -16768,14 +4836,14 @@ Date: Mon Nov 18 19:16:16 2019 +0000 bumped changelog version commit 9a20b85fe16584dda909fd5f1aa6bbb62d06bcf0 -Merge: 477d476b 2b17c0f3 +Merge: 477d476 2b17c0f Author: Patrick Schleizer Date: Sun Nov 17 11:20:17 2019 -0500 Merge remote-tracking branch 'origin/master' commit 2b17c0f3e4dcd7cb9f2239da649b4a885c27e7cf -Merge: 477d476b e92022a2 +Merge: 477d476 e92022a Author: Patrick Schleizer Date: Sun Nov 17 16:19:55 2019 +0000 @@ -16922,14 +4990,14 @@ Date: Thu Oct 31 11:19:44 2019 -0400 copyright commit f001250ae61789bef7b2b19d5c40831273b0acca -Merge: d832ab91 5a3cbe81 +Merge: d832ab9 5a3cbe8 Author: Patrick Schleizer Date: Mon Oct 28 10:31:30 2019 -0400 Merge remote-tracking branch 'origin/master' commit 5a3cbe81000c3a9bbc69ba03c944c6c5ae9115bf -Merge: d832ab91 0e49bdc4 +Merge: d832ab9 0e49bdc Author: Patrick Schleizer Date: Mon Oct 28 14:30:45 2019 +0000 @@ -17157,14 +5225,14 @@ Date: Thu Oct 17 06:05:23 2019 -0400 remove trailing spaces commit c8e0303d6d59e3303c0582ff8ab2664762199c81 -Merge: 4b1b3b7d 8a42c5b0 +Merge: 4b1b3b7 8a42c5b Author: Patrick Schleizer Date: Thu Oct 17 06:04:34 2019 -0400 Merge remote-tracking branch 'origin/master' commit 8a42c5b02387da454ff5661057be88a7c6fe9d9c -Merge: 994ca024 61f74230 +Merge: 994ca02 61f7423 Author: Patrick Schleizer Date: Thu Oct 17 09:59:12 2019 +0000 @@ -17173,7 +5241,7 @@ Date: Thu Oct 17 09:59:12 2019 +0000 Add a whitelist for /sys and /proc/cpuinfo commit 994ca024c24cf80075b2f03bc65475a5d9980d94 -Merge: 4b1b3b7d 259b1f2c +Merge: 4b1b3b7 259b1f2 Author: Patrick Schleizer Date: Thu Oct 17 06:19:46 2019 +0000 @@ -17326,14 +5394,14 @@ Date: Sat Oct 5 07:00:47 2019 -0400 https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 commit c19942f72b8d74056dd8da8c3cd9ac7e0fbe8991 -Merge: 213aef6e a33851a3 +Merge: 213aef6 a33851a Author: Patrick Schleizer Date: Sat Oct 5 06:58:27 2019 -0400 Merge remote-tracking branch 'origin/master' commit a33851a3c99a5eb9021d2d28b3164ed10025fbd9 -Merge: 213aef6e d0c6bb1e +Merge: 213aef6 d0c6bb1 Author: Patrick Schleizer Date: Sat Oct 5 10:58:08 2019 +0000 @@ -17372,14 +5440,14 @@ Date: Sat Oct 5 09:14:41 2019 +0000 chmod +x usr/lib/security-misc/hide-hardware-info commit ffe0d62c8148ec60f7528002e988b969ebb868ca -Merge: ddc778b4 7bcf73de +Merge: ddc778b 7bcf73d Author: Patrick Schleizer Date: Sat Oct 5 04:49:05 2019 -0400 Merge remote-tracking branch 'origin/master' commit 7bcf73deaa1c77f9c650d8844ad94d24e38746fd -Merge: ddc778b4 73452875 +Merge: ddc778b 7345287 Author: Patrick Schleizer Date: Sat Oct 5 08:46:21 2019 +0000 @@ -17534,14 +5602,14 @@ Date: Mon Sep 9 12:10:24 2019 +0000 bumped changelog version commit 1b4391417619a51cfe22d9eee21d9fa644d145b6 -Merge: 9d875d7c d0b3bc7d +Merge: 9d875d7 d0b3bc7 Author: Patrick Schleizer Date: Mon Sep 9 11:45:36 2019 +0000 Merge remote-tracking branch 'origin/master' commit d0b3bc7d3da6a4e3a04adb85cc5c7aa6c22bb466 -Merge: 9d875d7c 60db7e62 +Merge: 9d875d7 60db7e6 Author: Patrick Schleizer Date: Mon Sep 9 11:45:19 2019 +0000 @@ -17726,7 +5794,7 @@ Date: Fri Aug 23 16:53:55 2019 +0000 readme commit 793c9b6801ffda5d75d389b8e7a2a6d140d8d382 -Merge: a74b9832 44d62e05 +Merge: a74b983 44d62e0 Author: Patrick Schleizer Date: Mon Aug 19 12:48:23 2019 +0000 @@ -17747,7 +5815,7 @@ Date: Mon Aug 19 12:46:59 2019 +0000 https://github.com/Whonix/security-misc/pull/29 commit 44d62e05b5a60a3d45afd829fb67970afa7678b7 -Merge: 0140df86 a8b62811 +Merge: 0140df8 a8b6281 Author: Patrick Schleizer Date: Mon Aug 19 12:45:52 2019 +0000 @@ -17927,14 +5995,14 @@ Date: Fri Aug 16 10:50:56 2019 -0400 code simplification; report locked account earlier commit 5754671c460c67bd7d8e064841383ea7b7f90824 -Merge: 34672b88 97815986 +Merge: 34672b8 9781598 Author: Patrick Schleizer Date: Fri Aug 16 10:36:43 2019 -0400 Merge remote-tracking branch 'origin/master' commit 97815986321b6daf9c1f0c6f33a4b282ca05438c -Merge: 34672b88 85502ad4 +Merge: 34672b8 85502ad Author: Patrick Schleizer Date: Fri Aug 16 14:36:00 2019 +0000 @@ -17943,7 +6011,7 @@ Date: Fri Aug 16 14:36:00 2019 +0000 Blacklist bluetooth commit 85502ad430f560070806c8b95b7fed3fe7028587 -Merge: 4a6f87f3 34672b88 +Merge: 4a6f87f 34672b8 Author: Patrick Schleizer Date: Fri Aug 16 14:35:51 2019 +0000 @@ -18166,14 +6234,14 @@ Date: Wed Aug 14 07:01:25 2019 +0000 description commit ff8c0979435b491cf462c5ef6e8e02f6d85f1d81 -Merge: 6f8acf06 a8ea3795 +Merge: 6f8acf0 a8ea379 Author: Patrick Schleizer Date: Wed Aug 14 06:59:50 2019 +0000 Merge remote-tracking branch 'origin/master' commit a8ea37952669b3f40a452cb580442126ec44233a -Merge: 6f8acf06 9a49b8ec +Merge: 6f8acf0 9a49b8e Author: Patrick Schleizer Date: Wed Aug 14 06:59:34 2019 +0000 @@ -18405,14 +6473,14 @@ Date: Mon Jul 22 01:16:18 2019 +0000 bumped changelog version commit f38f307b37d2efb036c5b4e85f48921b0acfadeb -Merge: 8c538ba3 b2582fbd +Merge: 8c538ba b2582fb Author: Patrick Schleizer Date: Sun Jul 21 09:12:33 2019 -0400 Merge remote-tracking branch 'origin/master' commit b2582fbd4c2364c7bca95b4038eec2ef2a2fae41 -Merge: 8c538ba3 077899c2 +Merge: 8c538ba 077899c Author: Patrick Schleizer Date: Sun Jul 21 12:40:37 2019 +0000 @@ -18773,14 +6841,14 @@ Date: Thu Jul 11 18:26:17 2019 +0000 fix lintian warning commit a40a04aaec0c30ceb47266a3f9b2b714e9b89888 -Merge: f5356cee 93190ebf +Merge: f5356ce 93190eb Author: Patrick Schleizer Date: Thu Jul 11 14:08:30 2019 -0400 Merge remote-tracking branch 'origin/master' commit 93190ebf1019f76b73cf0f1e4491f15fd36bcae1 -Merge: f5356cee 1aee08fa +Merge: f5356ce 1aee08f Author: Patrick Schleizer Date: Thu Jul 11 18:08:01 2019 +0000 @@ -18825,14 +6893,14 @@ Date: Thu Jul 11 07:07:01 2019 +0000 fix lintian warning commit 2a893c0562438aaf0c34a25538a8e21bb11ba197 -Merge: 3df6a44e a54500c6 +Merge: 3df6a44 a54500c Author: Patrick Schleizer Date: Thu Jul 11 06:50:35 2019 +0000 Merge remote-tracking branch 'origin/master' commit a54500c6f18719520ae66c335870d3e8f03e9e14 -Merge: 7d3a6156 1e4d3495 +Merge: 7d3a615 1e4d349 Author: Patrick Schleizer Date: Thu Jul 11 06:41:37 2019 +0000 @@ -18841,7 +6909,7 @@ Date: Thu Jul 11 06:41:37 2019 +0000 Blacklist more uncommon network protocols commit 7d3a61564dc01b899466defe957a7bc65d38dc89 -Merge: 3df6a44e 932524cb +Merge: 3df6a44 932524c Author: Patrick Schleizer Date: Thu Jul 11 06:41:08 2019 +0000 @@ -18892,14 +6960,14 @@ Date: Tue Jul 9 06:56:23 2019 -0400 also allow members of group sudo to run /usr/lib/security-misc/panic-on-oops commit 5fb500ac32a8935ef989770b2b9d17df4fa1698c -Merge: 87937089 e4bb7703 +Merge: 8793708 e4bb770 Author: Patrick Schleizer Date: Tue Jul 9 06:55:27 2019 -0400 Merge remote-tracking branch 'origin/master' commit e4bb77037e9327eea7b8fd92961192613d6e0763 -Merge: a9441e7b 0f15303e +Merge: a9441e7 0f15303 Author: Patrick Schleizer Date: Tue Jul 9 10:54:48 2019 +0000 @@ -18908,21 +6976,21 @@ Date: Tue Jul 9 10:54:48 2019 +0000 Make the kernel panic on oopses commit 0f15303eb4dd5701cae5b3985be47918e2e4700a -Merge: 45f8102d a9441e7b +Merge: 45f8102 a9441e7 Author: Patrick Schleizer Date: Tue Jul 9 10:54:24 2019 +0000 Merge branch 'master' into patch-16 commit 8793708906d037746a2e946177d8a4d1884b391a -Merge: 50c00fcf a9441e7b +Merge: 50c00fc a9441e7 Author: Patrick Schleizer Date: Tue Jul 9 03:23:26 2019 -0400 Merge remote-tracking branch 'origin/master' commit a9441e7be4794e88f782f1ff5dd95f00e3928279 -Merge: 50c00fcf 24b326d9 +Merge: 50c00fc 24b326d Author: Patrick Schleizer Date: Tue Jul 9 07:21:47 2019 +0000 @@ -19097,14 +7165,14 @@ Date: Sat Jul 6 13:53:10 2019 +0000 bumped changelog version commit 7b0b9da32c660e527741a56543c78ee3ac93d541 -Merge: 6df7b3c2 649878fd +Merge: 6df7b3c 649878f Author: Patrick Schleizer Date: Sat Jul 6 07:06:54 2019 -0400 Merge remote-tracking branch 'origin/master' commit 649878fdcb81ac621af9bc1481a3b6b41d3e22a0 -Merge: 6df7b3c2 8888147e +Merge: 6df7b3c 8888147 Author: Patrick Schleizer Date: Sat Jul 6 11:06:25 2019 +0000 @@ -19191,14 +7259,14 @@ Date: Mon Jul 1 13:24:29 2019 +0000 revert to Debian buster original commit 88a78b1c87e8419bbb70daa77f7ddfb2332668ae -Merge: 24cc8e38 8c60e7c6 +Merge: 24cc8e3 8c60e7c Author: Patrick Schleizer Date: Mon Jul 1 09:21:05 2019 -0400 Merge remote-tracking branch 'origin/master' commit 8c60e7c67f692aa9e70316bdde29cdc41eff2a75 -Merge: 24cc8e38 cfaafe40 +Merge: 24cc8e3 cfaafe4 Author: Patrick Schleizer Date: Mon Jul 1 13:20:21 2019 +0000 @@ -19217,7 +7285,7 @@ Date: Mon Jul 1 03:43:02 2019 -0400 https://forums.whonix.org/t/kernel-hardening/7296/104 commit 0bffc7a9303d0b32427da04694bbefcf6a3104c8 -Merge: 3c176ce1 344d0090 +Merge: 3c176ce 344d009 Author: Patrick Schleizer Date: Mon Jul 1 03:08:26 2019 -0400 @@ -19232,7 +7300,7 @@ Date: Mon Jul 1 03:07:14 2019 -0400 since required in Qubes Debian templates commit 344d00903250d699fc64d7fa9fad80475ade92e5 -Merge: f26ad14d b8f2aee9 +Merge: f26ad14 b8f2aee Author: Patrick Schleizer Date: Mon Jul 1 06:39:28 2019 +0000 @@ -19313,14 +7381,14 @@ Date: Sun Jun 30 04:11:38 2019 -0400 fix package description commit e47339706170c92b8db44f014942ea7d94d1ff9e -Merge: 24b19c59 ec78a3e4 +Merge: 24b19c5 ec78a3e Author: Patrick Schleizer Date: Sun Jun 30 04:11:12 2019 -0400 Merge remote-tracking branch 'origin/master' commit ec78a3e42e23a270a245dc254046ac1d7fc6ceec -Merge: 9525ff87 67de5247 +Merge: 9525ff8 67de524 Author: Patrick Schleizer Date: Sun Jun 30 08:10:28 2019 +0000 @@ -19329,14 +7397,14 @@ Date: Sun Jun 30 08:10:28 2019 +0000 Disable coredumps commit 67de5247c8e7cd68c851a3d62168e9de69000afe -Merge: dbfb9e1c 9525ff87 +Merge: dbfb9e1 9525ff8 Author: Patrick Schleizer Date: Sun Jun 30 08:10:04 2019 +0000 Merge branch 'master' into patch-13 commit 9525ff87c6ae3cd6538a0a8f294e6b8610e79a32 -Merge: 24b19c59 22267c89 +Merge: 24b19c5 22267c8 Author: Patrick Schleizer Date: Sun Jun 30 08:09:23 2019 +0000 @@ -19411,14 +7479,14 @@ Date: Sat Jun 29 10:34:48 2019 +0000 fix lintian warning commit 250919b821a00c93ee4fe7d92f6f3ed812110aac -Merge: ecf5d80f 60e6dfcb +Merge: ecf5d80 60e6dfc Author: Patrick Schleizer Date: Sat Jun 29 06:06:02 2019 -0400 Merge remote-tracking branch 'origin/master' commit 60e6dfcbff08dd4526e60c3302741e40d98c8b3e -Merge: ecf5d80f 9e9c854d +Merge: ecf5d80 9e9c854 Author: Patrick Schleizer Date: Sat Jun 29 10:05:34 2019 +0000 @@ -19469,14 +7537,14 @@ Date: Fri Jun 28 03:02:49 2019 -0400 update files list commit ccb89cfd5574ed5a7b3802edc3bf188250edfddd -Merge: 0a0be1ad ab312235 +Merge: 0a0be1a ab31223 Author: Patrick Schleizer Date: Fri Jun 28 03:00:21 2019 -0400 Merge remote-tracking branch 'origin/master' commit ab312235ba89d62b7b83c26f8e9b8a8ff0ec985b -Merge: 5e02100e 3801a53a +Merge: 5e02100 3801a53 Author: Patrick Schleizer Date: Fri Jun 28 06:59:16 2019 +0000 @@ -19485,7 +7553,7 @@ Date: Fri Jun 28 06:59:16 2019 +0000 Add some hardening for other distributions commit 5e02100e34776bf410ba05d7a3f7ee7f696ca0fc -Merge: 7e12e16d b8091850 +Merge: 7e12e16 b809185 Author: Patrick Schleizer Date: Fri Jun 28 06:58:32 2019 +0000 @@ -19494,7 +7562,7 @@ Date: Fri Jun 28 06:58:32 2019 +0000 Remove System.map and restrict the SysRq key. commit 7e12e16dc0513f0a6936e576e3c8fa8ee44509d2 -Merge: 0a0be1ad 641407c8 +Merge: 0a0be1a 641407c Author: Patrick Schleizer Date: Fri Jun 28 06:57:42 2019 +0000 @@ -19569,14 +7637,14 @@ Date: Sun Jun 23 19:47:05 2019 +0000 debian/control syntax fix commit a098b18560e30ef238f693bf8f05933489027dd4 -Merge: 2a628998 90d676ec +Merge: 2a62899 90d676e Author: Patrick Schleizer Date: Sun Jun 23 19:46:30 2019 +0000 Merge remote-tracking branch 'origin/master' commit 90d676ec1864bd915310673d134d62d10a17a42f -Merge: 2a628998 1a07d90e +Merge: 2a62899 1a07d90 Author: Patrick Schleizer Date: Sun Jun 23 19:45:31 2019 +0000 @@ -19601,14 +7669,14 @@ Date: Sun Jun 23 18:46:52 2019 +0000 https://forums.whonix.org/t/kernel-hardening/7296/70 commit f1147318c04642f355eae96786c26ec1cb53977c -Merge: cd734669 aec6da28 +Merge: cd73466 aec6da2 Author: Patrick Schleizer Date: Sun Jun 23 18:45:41 2019 +0000 Merge remote-tracking branch 'origin/master' commit aec6da28e9ac4f8289d7b7aaa77bcef2562cda74 -Merge: cd734669 2178fb37 +Merge: cd73466 2178fb3 Author: Patrick Schleizer Date: Sun Jun 23 18:45:24 2019 +0000 @@ -19653,14 +7721,14 @@ Date: Sun Jun 23 08:38:01 2019 +0000 bumped changelog version commit ae50d8134294d3746235d383c18fc187c18717d7 -Merge: 5269cfee cd7172c0 +Merge: 5269cfe cd7172c Author: Patrick Schleizer Date: Sun Jun 23 03:59:58 2019 -0400 Merge remote-tracking branch 'origin/master' commit cd7172c00cbf0cb69e159b6159ef0bfff663a507 -Merge: 5269cfee 807ac7d6 +Merge: 5269cfe 807ac7d Author: Patrick Schleizer Date: Sun Jun 23 07:59:35 2019 +0000 @@ -19681,14 +7749,14 @@ Date: Fri Jun 21 05:40:04 2019 +0000 bumped changelog version commit 0a5b15ff45dc1b30867b0093d238b95dde7c0810 -Merge: ca1aa1e5 f9dc1b63 +Merge: ca1aa1e f9dc1b6 Author: Patrick Schleizer Date: Fri Jun 21 04:05:50 2019 +0000 Merge remote-tracking branch 'origin/master' commit f9dc1b6322961ff0e6c7a5be122f9d1031ba87ea -Merge: ca1aa1e5 2e81885f +Merge: ca1aa1e 2e81885 Author: Patrick Schleizer Date: Thu Jun 20 23:54:58 2019 -0400 @@ -19769,14 +7837,14 @@ Date: Thu May 23 22:38:13 2019 +0000 bumped changelog version commit 0a200e09ecf745d23e5e880d521f1aec2a7b25a9 -Merge: 65d7eb81 244234c8 +Merge: 65d7eb8 244234c Author: Patrick Schleizer Date: Thu May 23 18:25:47 2019 -0400 Merge remote-tracking branch 'origin/master' commit 244234c8b709a425feed4f3cfb87389f4fb2c6f5 -Merge: 65d7eb81 7177c604 +Merge: 65d7eb8 7177c60 Author: Patrick Schleizer Date: Thu May 23 22:25:13 2019 +0000 @@ -19797,14 +7865,14 @@ Date: Thu May 16 20:25:46 2019 +0000 bumped changelog version commit a2b184e5bb9942aa63a36fb918b203053a53f1e4 -Merge: 71bf6351 7d7b899d +Merge: 71bf635 7d7b899 Author: Patrick Schleizer Date: Thu May 16 19:53:27 2019 +0000 Merge remote-tracking branch 'origin/master' commit 7d7b899dd13f7123822bf269a639c68ff5cb737e -Merge: 71bf6351 b814f338 +Merge: 71bf635 b814f33 Author: Patrick Schleizer Date: Thu May 16 19:52:52 2019 +0000 @@ -19857,7 +7925,7 @@ Date: Wed May 8 21:38:25 2019 -0400 https://forums.whonix.org/t/whonix-xfce-development/6213/84?u=patrick commit 3bd4da6794067708f517b099548c0aa2a2b65146 -Merge: c80b7465 b00a264c +Merge: c80b746 b00a264 Author: Patrick Schleizer Date: Wed May 8 21:32:29 2019 -0400 @@ -19906,14 +7974,14 @@ Date: Mon May 6 05:51:14 2019 -0400 remove trailing spaces commit 83e12f8e89cf0269daeca36946cdef07e23075b3 -Merge: 74cdecfd 5177444d +Merge: 74cdecf 5177444 Author: Patrick Schleizer Date: Mon May 6 05:50:35 2019 -0400 Merge remote-tracking branch 'origin/master' commit 5177444d624a8a935c461ebe1065d451d2f8da0f -Merge: 74cdecfd 02e8888b +Merge: 74cdecf 02e8888 Author: Patrick Schleizer Date: Mon May 6 05:46:03 2019 -0400 @@ -20058,14 +8126,14 @@ Date: Thu Nov 8 09:55:41 2018 +0000 bumped changelog version commit 0c020af885b3dfb2924102e6cf41a5af114cc140 -Merge: f9e18772 6f240c0c +Merge: f9e1877 6f240c0 Author: Patrick Schleizer Date: Thu Nov 8 09:53:47 2018 +0000 Merge remote-tracking branch 'origin/master' commit 6f240c0c4c88df2946fdd673f833ee05dd8340bb -Merge: f9e18772 f84f9881 +Merge: f9e1877 f84f988 Author: Patrick Schleizer Date: Thu Nov 8 04:53:25 2018 -0500 @@ -20182,14 +8250,14 @@ Date: Wed Jul 26 14:37:34 2017 +0000 bumped changelog version commit dc2c9a9992551f5967e09b31a90721a9aadaf962 -Merge: 61bd4d05 91ff0c25 +Merge: 61bd4d0 91ff0c2 Author: Patrick Schleizer Date: Tue Mar 14 13:43:18 2017 +0000 Merge remote-tracking branch 'origin/master' commit 91ff0c2571b41710440006e770b8295c03b3a295 -Merge: 61bd4d05 6e5e5d6e +Merge: 61bd4d0 6e5e5d6 Author: Patrick Schleizer Date: Tue Mar 14 13:42:37 2017 +0000 @@ -20472,7 +8540,7 @@ Date: Thu Mar 31 15:36:59 2016 +0000 https://phabricator.whonix.org/T486 commit 7b54755841907c2b86b12eed5035860e17445193 -Merge: 10c87b84 be086aea +Merge: 10c87b8 be086ae Author: Patrick Schleizer Date: Thu Mar 31 15:35:07 2016 +0000 @@ -20483,7 +8551,7 @@ Date: Thu Mar 31 15:35:07 2016 +0000 https://phabricator.whonix.org/T486 commit be086aea597ff5e4db29f56fa57399c67568d4b6 -Merge: 10c87b84 d0eceae0 +Merge: 10c87b8 d0eceae Author: Patrick Schleizer Date: Thu Mar 31 15:34:17 2016 +0000 diff --git a/debian/changelog b/debian/changelog index 1b6cb91..f7d2b47 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,1737 +1,3 @@ -security-misc (3:51.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 11 Jan 2026 16:40:08 +0000 - -security-misc (3:51.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 05 Jan 2026 10:28:53 +0000 - -security-misc (3:51.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 01 Jan 2026 17:28:24 +0000 - -security-misc (3:51.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 28 Dec 2025 06:36:59 +0000 - -security-misc (3:50.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 19 Dec 2025 11:38:31 +0000 - -security-misc (3:50.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 19 Dec 2025 09:56:05 +0000 - -security-misc (3:50.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 12 Dec 2025 13:17:08 +0000 - -security-misc (3:50.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 09 Dec 2025 14:06:55 +0000 - -security-misc (3:50.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 05 Dec 2025 11:39:12 +0000 - -security-misc (3:50.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 03 Dec 2025 08:31:21 +0000 - -security-misc (3:50.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 24 Nov 2025 08:44:09 +0000 - -security-misc (3:50.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 23 Nov 2025 10:26:13 +0000 - -security-misc (3:50.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 19 Nov 2025 07:02:14 +0000 - -security-misc (3:50.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 14 Nov 2025 06:21:34 +0000 - -security-misc (3:49.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 12 Nov 2025 06:13:05 +0000 - -security-misc (3:49.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 10 Nov 2025 08:00:05 +0000 - -security-misc (3:49.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 09 Nov 2025 10:47:45 +0000 - -security-misc (3:49.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 09 Nov 2025 08:12:41 +0000 - -security-misc (3:49.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 08 Nov 2025 07:44:43 +0000 - -security-misc (3:49.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 02 Nov 2025 11:41:51 +0000 - -security-misc (3:49.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Nov 2025 10:13:49 +0000 - -security-misc (3:49.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Nov 2025 09:41:23 +0000 - -security-misc (3:49.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Nov 2025 09:18:12 +0000 - -security-misc (3:49.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 31 Oct 2025 14:38:30 +0000 - -security-misc (3:48.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 27 Oct 2025 11:48:10 +0000 - -security-misc (3:48.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 26 Oct 2025 12:30:29 +0000 - -security-misc (3:48.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 23 Oct 2025 06:03:25 +0000 - -security-misc (3:48.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 19 Oct 2025 08:43:36 +0000 - -security-misc (3:48.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 18 Oct 2025 09:19:07 +0000 - -security-misc (3:48.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 10 Oct 2025 12:08:28 +0000 - -security-misc (3:48.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 07 Oct 2025 08:40:31 +0000 - -security-misc (3:48.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 28 Sep 2025 21:09:45 +0000 - -security-misc (3:48.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 26 Sep 2025 08:40:20 +0000 - -security-misc (3:48.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 24 Sep 2025 14:32:34 +0000 - -security-misc (3:47.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 22 Sep 2025 17:25:48 +0000 - -security-misc (3:47.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 19 Sep 2025 18:43:35 +0000 - -security-misc (3:47.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 19 Sep 2025 18:10:09 +0000 - -security-misc (3:47.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 19 Sep 2025 16:18:37 +0000 - -security-misc (3:47.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Sep 2025 08:33:02 +0000 - -security-misc (3:47.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 02 Sep 2025 15:25:49 +0000 - -security-misc (3:47.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 30 Aug 2025 14:19:30 +0000 - -security-misc (3:47.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 27 Aug 2025 19:31:06 +0000 - -security-misc (3:47.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 26 Aug 2025 09:16:15 +0000 - -security-misc (3:47.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 10 Aug 2025 06:34:30 +0000 - -security-misc (3:46.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 09 Aug 2025 09:45:34 +0000 - -security-misc (3:46.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 07 Aug 2025 07:08:19 +0000 - -security-misc (3:46.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 06 Aug 2025 08:27:15 +0000 - -security-misc (3:46.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 04 Aug 2025 09:27:11 +0000 - -security-misc (3:46.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 03 Aug 2025 11:33:03 +0000 - -security-misc (3:46.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 21 Jul 2025 10:00:25 +0000 - -security-misc (3:46.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 02 Jul 2025 20:52:17 +0000 - -security-misc (3:46.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 14 Jun 2025 11:51:44 +0000 - -security-misc (3:46.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 28 May 2025 13:48:11 +0000 - -security-misc (3:46.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 28 May 2025 12:12:00 +0000 - -security-misc (3:45.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 27 May 2025 19:41:25 +0000 - -security-misc (3:45.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 27 May 2025 15:51:50 +0000 - -security-misc (3:45.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 21 May 2025 22:06:01 +0000 - -security-misc (3:45.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 21 May 2025 15:52:16 +0000 - -security-misc (3:45.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 21 May 2025 13:58:18 +0000 - -security-misc (3:45.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 21 May 2025 11:23:39 +0000 - -security-misc (3:45.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 20 May 2025 11:40:27 +0000 - -security-misc (3:45.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 25 Apr 2025 09:54:23 +0000 - -security-misc (3:45.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 25 Apr 2025 08:19:34 +0000 - -security-misc (3:45.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 21 Apr 2025 10:21:54 +0000 - -security-misc (3:44.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 19 Apr 2025 17:33:56 +0000 - -security-misc (3:44.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 15 Apr 2025 20:59:37 +0000 - -security-misc (3:44.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 10 Apr 2025 11:38:17 +0000 - -security-misc (3:44.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 09 Apr 2025 15:15:59 +0000 - -security-misc (3:44.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 08 Apr 2025 14:08:24 +0000 - -security-misc (3:44.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 03 Mar 2025 11:00:37 +0000 - -security-misc (3:44.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 09 Feb 2025 23:04:36 +0000 - -security-misc (3:44.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 31 Jan 2025 19:38:41 +0000 - -security-misc (3:44.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 30 Jan 2025 12:58:48 +0000 - -security-misc (3:44.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jan 2025 14:36:41 +0000 - -security-misc (3:43.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 23 Jan 2025 16:28:58 +0000 - -security-misc (3:43.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 22 Jan 2025 14:11:21 +0000 - -security-misc (3:43.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 22 Jan 2025 13:52:29 +0000 - -security-misc (3:43.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Jan 2025 11:35:08 +0000 - -security-misc (3:43.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Jan 2025 10:11:42 +0000 - -security-misc (3:43.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 17 Jan 2025 13:35:27 +0000 - -security-misc (3:43.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 15 Jan 2025 15:02:43 +0000 - -security-misc (3:43.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:32:12 +0000 - -security-misc (3:43.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:30:58 +0000 - -security-misc (3:43.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:16:45 +0000 - -security-misc (3:42.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:07:50 +0000 - -security-misc (3:42.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:06:50 +0000 - -security-misc (3:42.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 13:53:49 +0000 - -security-misc (3:42.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 09:26:05 +0000 - -security-misc (3:42.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 08:24:05 +0000 - -security-misc (3:42.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 12 Jan 2025 11:47:17 +0000 - -security-misc (3:42.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 10 Jan 2025 15:34:20 +0000 - -security-misc (3:42.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Jan 2025 10:31:40 +0000 - -security-misc (3:42.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2024 18:42:01 +0000 - -security-misc (3:42.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2024 14:09:34 +0000 - -security-misc (3:41.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 26 Dec 2024 04:12:02 +0000 - -security-misc (3:41.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Dec 2024 05:16:21 +0000 - -security-misc (3:41.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 06:01:27 +0000 - -security-misc (3:41.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 05:58:24 +0000 - -security-misc (3:41.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 05:48:48 +0000 - -security-misc (3:41.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 10:58:50 +0000 - -security-misc (3:41.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 09:43:26 +0000 - -security-misc (3:41.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 06:57:42 +0000 - -security-misc (3:41.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Dec 2024 19:19:10 +0000 - -security-misc (3:41.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Dec 2024 19:17:10 +0000 - -security-misc (3:40.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Nov 2024 21:07:41 +0000 - -security-misc (3:40.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 Nov 2024 22:24:50 +0000 - -security-misc (3:40.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 Nov 2024 20:46:26 +0000 - -security-misc (3:40.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 12 Nov 2024 09:11:57 +0000 - -security-misc (3:40.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 11 Nov 2024 11:07:57 +0000 - -security-misc (3:40.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 10 Nov 2024 11:52:42 +0000 - -security-misc (3:40.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 30 Oct 2024 09:43:05 +0000 - -security-misc (3:40.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 23 Oct 2024 09:56:05 +0000 - -security-misc (3:40.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 16 Oct 2024 10:57:20 +0000 - -security-misc (3:40.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 08 Oct 2024 11:24:55 +0000 - -security-misc (3:39.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 03 Oct 2024 07:22:23 +0000 - -security-misc (3:39.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 Sep 2024 01:03:42 +0000 - -security-misc (3:39.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 14 Sep 2024 02:56:08 +0000 - -security-misc (3:39.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Sep 2024 17:41:30 +0000 - -security-misc (3:39.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 04 Sep 2024 14:13:15 +0000 - -security-misc (3:39.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 29 Aug 2024 09:49:51 +0000 - -security-misc (3:39.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 28 Aug 2024 11:01:36 +0000 - -security-misc (3:39.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 - -security-misc (3:39.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 - -security-misc (3:39.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Aug 2024 08:38:11 +0000 - -security-misc (3:38.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 - -security-misc (3:38.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 06 Aug 2024 14:01:38 +0000 - -security-misc (3:38.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 28 Jul 2024 20:50:21 +0000 - -security-misc (3:38.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 27 Jul 2024 16:13:34 +0000 - -security-misc (3:38.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 26 Jul 2024 15:40:23 +0000 - -security-misc (3:38.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 26 Jul 2024 09:40:58 +0000 - -security-misc (3:38.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 - -security-misc (3:38.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 - -security-misc (3:38.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 18:05:06 +0000 - -security-misc (3:38.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 14:11:35 +0000 - -security-misc (3:37.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 14:05:22 +0000 - -security-misc (3:37.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 Jul 2024 21:18:54 +0000 - -security-misc (3:37.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2024 15:01:15 +0000 - -security-misc (3:37.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 11 Jun 2024 12:56:56 +0000 - -security-misc (3:37.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Jun 2024 18:13:08 +0000 - -security-misc (3:37.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Jun 2024 17:35:04 +0000 - -security-misc (3:37.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 28 May 2024 12:04:52 +0000 - -security-misc (3:37.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 18 May 2024 20:45:11 +0000 - -security-misc (3:37.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 10 May 2024 11:20:36 +0000 - -security-misc (3:37.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 12 Apr 2024 06:56:38 +0000 - -security-misc (3:36.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 01 Apr 2024 06:56:44 +0000 - -security-misc (3:36.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 18 Mar 2024 15:10:10 +0000 - -security-misc (3:36.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 11 Mar 2024 15:07:50 +0000 - -security-misc (3:36.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 10 Mar 2024 13:19:26 +0000 - -security-misc (3:36.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 04 Mar 2024 11:48:30 +0000 - -security-misc (3:36.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 26 Feb 2024 13:32:44 +0000 - -security-misc (3:36.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 20:08:17 +0000 - -security-misc (3:36.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 19:58:00 +0000 - -security-misc (3:36.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 16:07:16 +0000 - -security-misc (3:36.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 14:52:54 +0000 - -security-misc (3:35.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 14:50:05 +0000 - -security-misc (3:35.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 03 Feb 2024 18:28:26 +0000 - -security-misc (3:35.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 25 Jan 2024 13:59:29 +0000 - -security-misc (3:35.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jan 2024 14:10:50 +0000 - -security-misc (3:35.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 17 Jan 2024 19:18:24 +0000 - -security-misc (3:35.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 14:26:34 +0000 - -security-misc (3:35.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 14:14:18 +0000 - -security-misc (3:35.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 13:58:54 +0000 - -security-misc (3:35.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 09 Jan 2024 05:52:48 +0000 - -security-misc (3:35.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 04 Jan 2024 02:03:26 +0000 - -security-misc (3:34.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 02 Jan 2024 14:55:13 +0000 - -security-misc (3:34.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 29 Dec 2023 20:15:50 +0000 - -security-misc (3:34.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Dec 2023 16:28:09 +0000 - -security-misc (3:34.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 22 Dec 2023 16:31:57 +0000 - -security-misc (3:34.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 12 Dec 2023 16:51:21 +0000 - -security-misc (3:34.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 04 Dec 2023 17:06:45 +0000 - -security-misc (3:34.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Nov 2023 13:13:10 +0000 - -security-misc (3:34.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 11 Nov 2023 22:29:57 +0000 - -security-misc (3:34.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 11 Nov 2023 20:22:34 +0000 - -security-misc (3:34.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 22:28:21 +0000 - -security-misc (3:33.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 02:13:14 +0000 - -security-misc (3:33.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 01:14:33 +0000 - -security-misc (3:33.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 23:17:59 +0000 - -security-misc (3:33.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 22:43:33 +0000 - -security-misc (3:33.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 21:46:18 +0000 - -security-misc (3:33.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 21:04:02 +0000 - -security-misc (3:33.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:58:21 +0000 - -security-misc (3:33.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:29:38 +0000 - -security-misc (3:33.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:14:43 +0000 - -security-misc (3:33.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 19:56:06 +0000 - -security-misc (3:32.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:17:24 +0000 - -security-misc (3:32.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:10:48 +0000 - -security-misc (3:32.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:06:43 +0000 - -security-misc (3:32.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 14:33:02 +0000 - -security-misc (3:32.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 13:28:08 +0000 - -security-misc (3:32.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Nov 2023 16:26:21 +0000 - -security-misc (3:32.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Nov 2023 15:10:36 +0000 - -security-misc (3:32.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 27 Oct 2023 00:08:41 +0000 - -security-misc (3:32.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 26 Oct 2023 16:23:48 +0000 - -security-misc (3:32.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 Oct 2023 21:55:37 +0000 - -security-misc (3:31.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Oct 2023 09:51:11 +0000 - -security-misc (3:31.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 23:23:22 +0000 - -security-misc (3:31.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:54:58 +0000 - -security-misc (3:31.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:29:08 +0000 - -security-misc (3:31.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:16:40 +0000 - -security-misc (3:31.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:44:47 +0000 - -security-misc (3:31.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:40:59 +0000 - -security-misc (3:31.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:33:21 +0000 - -security-misc (3:31.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:28:04 +0000 - -security-misc (3:31.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 18:46:42 +0000 - -security-misc (3:30.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 18:30:28 +0000 - -security-misc (3:30.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 17:31:55 +0000 - -security-misc (3:30.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 16:55:41 +0000 - -security-misc (3:30.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 15:28:18 +0000 - -security-misc (3:30.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 15:13:05 +0000 - -security-misc (3:30.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:50:30 +0000 - -security-misc (3:30.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:16:53 +0000 - -security-misc (3:30.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:01:54 +0000 - -security-misc (3:30.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 12:12:30 +0000 - -security-misc (3:30.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 11:06:00 +0000 - -security-misc (3:29.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Oct 2023 18:19:24 +0000 - -security-misc (3:29.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Oct 2023 16:34:59 +0000 - -security-misc (3:29.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 13 Oct 2023 19:22:58 +0000 - -security-misc (3:29.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Oct 2023 16:51:37 +0000 - -security-misc (3:29.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Oct 2023 14:43:40 +0000 - -security-misc (3:29.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 17 Jul 2023 15:48:35 +0000 - -security-misc (3:29.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 23 Jun 2023 08:18:12 +0000 - -security-misc (3:29.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 21 Jun 2023 09:36:44 +0000 - -security-misc (3:29.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Jun 2023 11:09:01 +0000 - -security-misc (3:29.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 14 Jun 2023 09:59:20 +0000 - -security-misc (3:28.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 12 Jun 2023 18:01:55 +0000 - -security-misc (3:28.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 May 2023 17:31:59 +0000 - -security-misc (3:28.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 May 2023 11:56:30 +0000 - -security-misc (3:28.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 06 May 2023 12:00:12 +0000 - -security-misc (3:28.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 06 May 2023 11:54:31 +0000 - -security-misc (3:28.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 05 May 2023 15:09:32 +0000 - -security-misc (3:28.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 30 Jan 2023 10:58:47 +0000 - -security-misc (3:28.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Jan 2023 12:09:40 +0000 - -security-misc (3:28.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Jan 2023 12:05:53 +0000 - -security-misc (3:28.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Jan 2023 12:05:18 +0000 - -security-misc (3:27.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Jan 2023 12:02:01 +0000 - -security-misc (3:27.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Jan 2023 10:34:48 +0000 - -security-misc (3:27.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Jan 2023 12:17:02 +0000 - -security-misc (3:27.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 23:13:57 +0000 - -security-misc (3:27.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 22:49:24 +0000 - -security-misc (3:27.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 22:23:35 +0000 - -security-misc (3:27.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 22:16:23 +0000 - -security-misc (3:27.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 21:20:48 +0000 - -security-misc (3:27.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 20:37:47 +0000 - -security-misc (3:27.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 19:31:40 +0000 - -security-misc (3:26.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 19:27:42 +0000 - -security-misc (3:26.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 17:57:36 +0000 - -security-misc (3:26.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 18 Dec 2022 19:37:51 +0000 - -security-misc (3:26.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 12:21:58 +0000 - -security-misc (3:26.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 12:00:33 +0000 - -security-misc (3:26.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 11:49:25 +0000 - -security-misc (3:26.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 11:31:37 +0000 - -security-misc (3:26.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 11:14:15 +0000 - -security-misc (3:26.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 22 Nov 2022 11:03:13 +0000 - -security-misc (3:26.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 17 Nov 2022 15:15:36 +0000 - -security-misc (3:25.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 24 Aug 2022 22:28:39 +0000 - -security-misc (3:25.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Aug 2022 15:40:04 +0000 - -security-misc (3:25.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 12 Aug 2022 11:52:26 +0000 - -security-misc (3:25.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 26 Jul 2022 14:00:53 +0000 - -security-misc (3:25.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 23 Jul 2022 12:07:37 +0000 - -security-misc (3:25.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 16 Jul 2022 12:00:16 +0000 - -security-misc (3:25.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 13 Jul 2022 12:28:34 +0000 - -security-misc (3:25.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 09 Jul 2022 15:42:24 +0000 - -security-misc (3:25.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 07 Jul 2022 21:41:13 +0000 - -security-misc (3:25.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 05 Jul 2022 15:16:33 +0000 - -security-misc (3:24.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 22:30:06 +0000 - -security-misc (3:24.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 21:37:16 +0000 - -security-misc (3:24.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 20:03:52 +0000 - -security-misc (3:24.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 19:52:08 +0000 - -security-misc (3:24.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 19:32:50 +0000 - -security-misc (3:24.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 18:27:04 +0000 - -security-misc (3:24.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 20:25:07 +0000 - -security-misc (3:24.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 20:06:33 +0000 - -security-misc (3:24.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 20:03:58 +0000 - -security-misc (3:24.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 19:24:40 +0000 - -security-misc (3:23.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 19:22:41 +0000 - -security-misc (3:23.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 18:18:02 +0000 - -security-misc (3:23.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 18:15:48 +0000 - -security-misc (3:23.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 17:03:35 +0000 - -security-misc (3:23.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 15:18:59 +0000 - -security-misc (3:23.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 14:02:18 +0000 - -security-misc (3:23.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 13:54:27 +0000 - -security-misc (3:23.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 08 Jun 2022 15:05:07 +0000 - -security-misc (3:23.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 May 2022 10:07:17 +0000 - -security-misc (3:23.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 10 Feb 2022 19:06:54 +0000 - -security-misc (3:22.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Sep 2021 18:18:52 +0000 - -security-misc (3:22.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 12 Sep 2021 15:57:20 +0000 - -security-misc (3:22.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 09 Sep 2021 16:35:37 +0000 - -security-misc (3:22.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Sep 2021 13:46:20 +0000 - -security-misc (3:22.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Sep 2021 08:55:23 +0000 - security-misc (3:22.4-1) unstable; urgency=medium * New upstream version (local package). diff --git a/debian/control b/debian/control index d46ba12..0a1e11b 100644 --- a/debian/control +++ b/debian/control @@ -1,79 +1,28 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc Section: misc Priority: optional -Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 13), - debhelper-compat (= 13), - dh-apparmor, - dh-exec, - config-package-dev, - po-debconf -Homepage: https://www.kicksecure.com/wiki/Security-misc -Vcs-Browser: https://github.com/Kicksecure/security-misc -Vcs-Git: https://github.com/Kicksecure/security-misc.git -Standards-Version: 4.7.2 +Maintainer: Patrick Schleizer +Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor +Homepage: https://github.com/Whonix/security-misc +Vcs-Browser: https://github.com/Whonix/security-misc +Vcs-Git: https://github.com/Whonix/security-misc.git +Standards-Version: 4.5.1 Rules-Requires-Root: no -## 'Package: security-misc-shared' Comments -## -## 'Conflicts: security-misc' is needed. -## > dpkg-divert: error: 'diversion of /etc/securetty to /etc/securetty.security-misc-orig by security-misc-shared' clashes with 'diversion of /etc/securetty to /etc/securetty.security-misc-orig by security-misc' -## -## 'Provides: security-misc' is useful. -## sudo dpkg -i /home/user/derivative-binary/genmkfile-packages-result/security-misc-shared_47.7-1_all.deb -## > dpkg: considering removing security-misc in favour of security-misc-shared ... -## > dpkg: no, cannot proceed with removal of security-misc (--auto-deconfigure will help): -## > systemcheck depends on security-misc -## > security-misc is to be removed -Package: security-misc-shared +Package: security-misc Architecture: all -Depends: adduser, - apparmor-profile-dist, - build-essential, - dmsetup, - helper-scripts, - libcap2-bin, - libglib2.0-bin, - libpam-modules-bin, - libpam-runtime, - libpam-umask, - memlockd, - python3, - secure-delete, - ${misc:Depends} -Replaces: anon-gpg-tweaks, - security-misc, - swappiness-lowest, - tcp-timestamps-disable -Conflicts: security-misc -Provides: security-misc +Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, + apparmor-profile-dist, helper-scripts, libpam-modules-bin, ${misc:Depends} +Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings - https://github.com/Kicksecure/security-misc/blob/master/README.md + https://github.com/Whonix/security-misc/blob/master/README.md . - https://www.kicksecure.com/wiki/Security-misc - . - Package security-misc-desktop and/or security-misc-server may also be useful. + https://www.whonix.org/wiki/Security-misc . Discussion: . Happening primarily in Whonix forums. - https://forums.whonix.org/t/kernel-hardening-security-misc/7296 - -Package: security-misc-desktop -Architecture: all -Depends: security-misc-shared, ${misc:Depends} -Description: Security improvements for desktops - For desktops. - . - (Or servers running a desktop?) - -Package: security-misc-server -Architecture: all -Depends: security-misc-shared, ${misc:Depends} -Description: Security improvements for servers - For servers. - . - (Or desktops running a server?) + https://forums.whonix.org/t/kernel-hardening/7296 diff --git a/debian/copyright b/debian/copyright index 829d909..3b0825d 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,668 +1,73 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC -License: AGPL-3+ - -License: AGPL-3+ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - . - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - . - Preamble - . - The GNU Affero General Public License is a free, copyleft license for - software and other kinds of works, specifically designed to ensure - cooperation with the community in the case of network server software. - . - The licenses for most software and other practical works are designed - to take away your freedom to share and change the works. By contrast, - our General Public Licenses are intended to guarantee your freedom to - share and change all versions of a program--to make sure it remains free - software for all its users. - . - When we speak of free software, we are referring to freedom, not - price. Our General Public Licenses are designed to make sure that you - have the freedom to distribute copies of free software (and charge for - them if you wish), that you receive source code or can get it if you - want it, that you can change the software or use pieces of it in new - free programs, and that you know you can do these things. - . - Developers that use our General Public Licenses protect your rights - with two steps: (1) assert copyright on the software, and (2) offer - you this License which gives you legal permission to copy, distribute - and/or modify the software. - . - A secondary benefit of defending all users' freedom is that - improvements made in alternate versions of the program, if they - receive widespread use, become available for other developers to - incorporate. Many developers of free software are heartened and - encouraged by the resulting cooperation. However, in the case of - software used on network servers, this result may fail to come about. - The GNU General Public License permits making a modified version and - letting the public access it on a server without ever releasing its - source code to the public. - . - The GNU Affero General Public License is designed specifically to - ensure that, in such cases, the modified source code becomes available - to the community. It requires the operator of a network server to - provide the source code of the modified version running there to the - users of that server. Therefore, public use of a modified version, on - a publicly accessible server, gives the public access to the source - code of the modified version. - . - An older license, called the Affero General Public License and - published by Affero, was designed to accomplish similar goals. This is - a different license, not a version of the Affero GPL, but Affero has - released a new version of the Affero GPL which permits relicensing under - this license. - . - The precise terms and conditions for copying, distribution and - modification follow. - . - TERMS AND CONDITIONS - . - 0. Definitions. - . - "This License" refers to version 3 of the GNU Affero General Public License. - . - "Copyright" also means copyright-like laws that apply to other kinds of - works, such as semiconductor masks. - . - "The Program" refers to any copyrightable work licensed under this - License. Each licensee is addressed as "you". "Licensees" and - "recipients" may be individuals or organizations. - . - To "modify" a work means to copy from or adapt all or part of the work - in a fashion requiring copyright permission, other than the making of an - exact copy. The resulting work is called a "modified version" of the - earlier work or a work "based on" the earlier work. - . - A "covered work" means either the unmodified Program or a work based - on the Program. - . - To "propagate" a work means to do anything with it that, without - permission, would make you directly or secondarily liable for - infringement under applicable copyright law, except executing it on a - computer or modifying a private copy. Propagation includes copying, - distribution (with or without modification), making available to the - public, and in some countries other activities as well. - . - To "convey" a work means any kind of propagation that enables other - parties to make or receive copies. Mere interaction with a user through - a computer network, with no transfer of a copy, is not conveying. - . - An interactive user interface displays "Appropriate Legal Notices" - to the extent that it includes a convenient and prominently visible - feature that (1) displays an appropriate copyright notice, and (2) - tells the user that there is no warranty for the work (except to the - extent that warranties are provided), that licensees may convey the - work under this License, and how to view a copy of this License. If - the interface presents a list of user commands or options, such as a - menu, a prominent item in the list meets this criterion. - . - 1. Source Code. - . - The "source code" for a work means the preferred form of the work - for making modifications to it. "Object code" means any non-source - form of a work. - . - A "Standard Interface" means an interface that either is an official - standard defined by a recognized standards body, or, in the case of - interfaces specified for a particular programming language, one that - is widely used among developers working in that language. - . - The "System Libraries" of an executable work include anything, other - than the work as a whole, that (a) is included in the normal form of - packaging a Major Component, but which is not part of that Major - Component, and (b) serves only to enable use of the work with that - Major Component, or to implement a Standard Interface for which an - implementation is available to the public in source code form. A - "Major Component", in this context, means a major essential component - (kernel, window system, and so on) of the specific operating system - (if any) on which the executable work runs, or a compiler used to - produce the work, or an object code interpreter used to run it. - . - The "Corresponding Source" for a work in object code form means all - the source code needed to generate, install, and (for an executable - work) run the object code and to modify the work, including scripts to - control those activities. However, it does not include the work's - System Libraries, or general-purpose tools or generally available free - programs which are used unmodified in performing those activities but - which are not part of the work. For example, Corresponding Source - includes interface definition files associated with source files for - the work, and the source code for shared libraries and dynamically - linked subprograms that the work is specifically designed to require, - such as by intimate data communication or control flow between those - subprograms and other parts of the work. - . - The Corresponding Source need not include anything that users - can regenerate automatically from other parts of the Corresponding - Source. - . - The Corresponding Source for a work in source code form is that - same work. - . - 2. Basic Permissions. - . - All rights granted under this License are granted for the term of - copyright on the Program, and are irrevocable provided the stated - conditions are met. This License explicitly affirms your unlimited - permission to run the unmodified Program. The output from running a - covered work is covered by this License only if the output, given its - content, constitutes a covered work. This License acknowledges your - rights of fair use or other equivalent, as provided by copyright law. - . - You may make, run and propagate covered works that you do not - convey, without conditions so long as your license otherwise remains - in force. You may convey covered works to others for the sole purpose - of having them make modifications exclusively for you, or provide you - with facilities for running those works, provided that you comply with - the terms of this License in conveying all material for which you do - not control copyright. Those thus making or running the covered works - for you must do so exclusively on your behalf, under your direction - and control, on terms that prohibit them from making any copies of - your copyrighted material outside their relationship with you. - . - Conveying under any other circumstances is permitted solely under - the conditions stated below. Sublicensing is not allowed; section 10 - makes it unnecessary. - . - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - . - No covered work shall be deemed part of an effective technological - measure under any applicable law fulfilling obligations under article - 11 of the WIPO copyright treaty adopted on 20 December 1996, or - similar laws prohibiting or restricting circumvention of such - measures. - . - When you convey a covered work, you waive any legal power to forbid - circumvention of technological measures to the extent such circumvention - is effected by exercising rights under this License with respect to - the covered work, and you disclaim any intention to limit operation or - modification of the work as a means of enforcing, against the work's - users, your or third parties' legal rights to forbid circumvention of - technological measures. - . - 4. Conveying Verbatim Copies. - . - You may convey verbatim copies of the Program's source code as you - receive it, in any medium, provided that you conspicuously and - appropriately publish on each copy an appropriate copyright notice; - keep intact all notices stating that this License and any - non-permissive terms added in accord with section 7 apply to the code; - keep intact all notices of the absence of any warranty; and give all - recipients a copy of this License along with the Program. - . - You may charge any price or no price for each copy that you convey, - and you may offer support or warranty protection for a fee. - . - 5. Conveying Modified Source Versions. - . - You may convey a work based on the Program, or the modifications to - produce it from the Program, in the form of source code under the - terms of section 4, provided that you also meet all of these conditions: - . - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - . - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - . - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - . - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - . - A compilation of a covered work with other separate and independent - works, which are not by their nature extensions of the covered work, - and which are not combined with it such as to form a larger program, - in or on a volume of a storage or distribution medium, is called an - "aggregate" if the compilation and its resulting copyright are not - used to limit the access or legal rights of the compilation's users - beyond what the individual works permit. Inclusion of a covered work - in an aggregate does not cause this License to apply to the other - parts of the aggregate. - . - 6. Conveying Non-Source Forms. - . - You may convey a covered work in object code form under the terms - of sections 4 and 5, provided that you also convey the - machine-readable Corresponding Source under the terms of this License, - in one of these ways: - . - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - . - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - . - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - . - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - . - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - . - A separable portion of the object code, whose source code is excluded - from the Corresponding Source as a System Library, need not be - included in conveying the object code work. - . - A "User Product" is either (1) a "consumer product", which means any - tangible personal property which is normally used for personal, family, - or household purposes, or (2) anything designed or sold for incorporation - into a dwelling. In determining whether a product is a consumer product, - doubtful cases shall be resolved in favor of coverage. For a particular - product received by a particular user, "normally used" refers to a - typical or common use of that class of product, regardless of the status - of the particular user or of the way in which the particular user - actually uses, or expects or is expected to use, the product. A product - is a consumer product regardless of whether the product has substantial - commercial, industrial or non-consumer uses, unless such uses represent - the only significant mode of use of the product. - . - "Installation Information" for a User Product means any methods, - procedures, authorization keys, or other information required to install - and execute modified versions of a covered work in that User Product from - a modified version of its Corresponding Source. The information must - suffice to ensure that the continued functioning of the modified object - code is in no case prevented or interfered with solely because - modification has been made. - . - If you convey an object code work under this section in, or with, or - specifically for use in, a User Product, and the conveying occurs as - part of a transaction in which the right of possession and use of the - User Product is transferred to the recipient in perpetuity or for a - fixed term (regardless of how the transaction is characterized), the - Corresponding Source conveyed under this section must be accompanied - by the Installation Information. But this requirement does not apply - if neither you nor any third party retains the ability to install - modified object code on the User Product (for example, the work has - been installed in ROM). - . - The requirement to provide Installation Information does not include a - requirement to continue to provide support service, warranty, or updates - for a work that has been modified or installed by the recipient, or for - the User Product in which it has been modified or installed. Access to a - network may be denied when the modification itself materially and - adversely affects the operation of the network or violates the rules and - protocols for communication across the network. - . - Corresponding Source conveyed, and Installation Information provided, - in accord with this section must be in a format that is publicly - documented (and with an implementation available to the public in - source code form), and must require no special password or key for - unpacking, reading or copying. - . - 7. Additional Terms. - . - "Additional permissions" are terms that supplement the terms of this - License by making exceptions from one or more of its conditions. - Additional permissions that are applicable to the entire Program shall - be treated as though they were included in this License, to the extent - that they are valid under applicable law. If additional permissions - apply only to part of the Program, that part may be used separately - under those permissions, but the entire Program remains governed by - this License without regard to the additional permissions. - . - When you convey a copy of a covered work, you may at your option - remove any additional permissions from that copy, or from any part of - it. (Additional permissions may be written to require their own - removal in certain cases when you modify the work.) You may place - additional permissions on material, added by you to a covered work, - for which you have or can give appropriate copyright permission. - . - Notwithstanding any other provision of this License, for material you - add to a covered work, you may (if authorized by the copyright holders of - that material) supplement the terms of this License with terms: - . - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - . - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - . - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - . - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - . - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - . - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - . - All other non-permissive additional terms are considered "further - restrictions" within the meaning of section 10. If the Program as you - received it, or any part of it, contains a notice stating that it is - governed by this License along with a term that is a further - restriction, you may remove that term. If a license document contains - a further restriction but permits relicensing or conveying under this - License, you may add to a covered work material governed by the terms - of that license document, provided that the further restriction does - not survive such relicensing or conveying. - . - If you add terms to a covered work in accord with this section, you - must place, in the relevant source files, a statement of the - additional terms that apply to those files, or a notice indicating - where to find the applicable terms. - . - Additional terms, permissive or non-permissive, may be stated in the - form of a separately written license, or stated as exceptions; - the above requirements apply either way. - . - 8. Termination. - . - You may not propagate or modify a covered work except as expressly - provided under this License. Any attempt otherwise to propagate or - modify it is void, and will automatically terminate your rights under - this License (including any patent licenses granted under the third - paragraph of section 11). - . - However, if you cease all violation of this License, then your - license from a particular copyright holder is reinstated (a) - provisionally, unless and until the copyright holder explicitly and - finally terminates your license, and (b) permanently, if the copyright - holder fails to notify you of the violation by some reasonable means - prior to 60 days after the cessation. - . - Moreover, your license from a particular copyright holder is - reinstated permanently if the copyright holder notifies you of the - violation by some reasonable means, this is the first time you have - received notice of violation of this License (for any work) from that - copyright holder, and you cure the violation prior to 30 days after - your receipt of the notice. - . - Termination of your rights under this section does not terminate the - licenses of parties who have received copies or rights from you under - this License. If your rights have been terminated and not permanently - reinstated, you do not qualify to receive new licenses for the same - material under section 10. - . - 9. Acceptance Not Required for Having Copies. - . - You are not required to accept this License in order to receive or - run a copy of the Program. Ancillary propagation of a covered work - occurring solely as a consequence of using peer-to-peer transmission - to receive a copy likewise does not require acceptance. However, - nothing other than this License grants you permission to propagate or - modify any covered work. These actions infringe copyright if you do - not accept this License. Therefore, by modifying or propagating a - covered work, you indicate your acceptance of this License to do so. - . - 10. Automatic Licensing of Downstream Recipients. - . - Each time you convey a covered work, the recipient automatically - receives a license from the original licensors, to run, modify and - propagate that work, subject to this License. You are not responsible - for enforcing compliance by third parties with this License. - . - An "entity transaction" is a transaction transferring control of an - organization, or substantially all assets of one, or subdividing an - organization, or merging organizations. If propagation of a covered - work results from an entity transaction, each party to that - transaction who receives a copy of the work also receives whatever - licenses to the work the party's predecessor in interest had or could - give under the previous paragraph, plus a right to possession of the - Corresponding Source of the work from the predecessor in interest, if - the predecessor has it or can get it with reasonable efforts. - . - You may not impose any further restrictions on the exercise of the - rights granted or affirmed under this License. For example, you may - not impose a license fee, royalty, or other charge for exercise of - rights granted under this License, and you may not initiate litigation - (including a cross-claim or counterclaim in a lawsuit) alleging that - any patent claim is infringed by making, using, selling, offering for - sale, or importing the Program or any portion of it. - . - 11. Patents. - . - A "contributor" is a copyright holder who authorizes use under this - License of the Program or a work on which the Program is based. The - work thus licensed is called the contributor's "contributor version". - . - A contributor's "essential patent claims" are all patent claims - owned or controlled by the contributor, whether already acquired or - hereafter acquired, that would be infringed by some manner, permitted - by this License, of making, using, or selling its contributor version, - but do not include claims that would be infringed only as a - consequence of further modification of the contributor version. For - purposes of this definition, "control" includes the right to grant - patent sublicenses in a manner consistent with the requirements of - this License. - . - Each contributor grants you a non-exclusive, worldwide, royalty-free - patent license under the contributor's essential patent claims, to - make, use, sell, offer for sale, import and otherwise run, modify and - propagate the contents of its contributor version. - . - In the following three paragraphs, a "patent license" is any express - agreement or commitment, however denominated, not to enforce a patent - (such as an express permission to practice a patent or covenant not to - sue for patent infringement). To "grant" such a patent license to a - party means to make such an agreement or commitment not to enforce a - patent against the party. - . - If you convey a covered work, knowingly relying on a patent license, - and the Corresponding Source of the work is not available for anyone - to copy, free of charge and under the terms of this License, through a - publicly available network server or other readily accessible means, - then you must either (1) cause the Corresponding Source to be so - available, or (2) arrange to deprive yourself of the benefit of the - patent license for this particular work, or (3) arrange, in a manner - consistent with the requirements of this License, to extend the patent - license to downstream recipients. "Knowingly relying" means you have - actual knowledge that, but for the patent license, your conveying the - covered work in a country, or your recipient's use of the covered work - in a country, would infringe one or more identifiable patents in that - country that you have reason to believe are valid. - . - If, pursuant to or in connection with a single transaction or - arrangement, you convey, or propagate by procuring conveyance of, a - covered work, and grant a patent license to some of the parties - receiving the covered work authorizing them to use, propagate, modify - or convey a specific copy of the covered work, then the patent license - you grant is automatically extended to all recipients of the covered - work and works based on it. - . - A patent license is "discriminatory" if it does not include within - the scope of its coverage, prohibits the exercise of, or is - conditioned on the non-exercise of one or more of the rights that are - specifically granted under this License. You may not convey a covered - work if you are a party to an arrangement with a third party that is - in the business of distributing software, under which you make payment - to the third party based on the extent of your activity of conveying - the work, and under which the third party grants, to any of the - parties who would receive the covered work from you, a discriminatory - patent license (a) in connection with copies of the covered work - conveyed by you (or copies made from those copies), or (b) primarily - for and in connection with specific products or compilations that - contain the covered work, unless you entered into that arrangement, - or that patent license was granted, prior to 28 March 2007. - . - Nothing in this License shall be construed as excluding or limiting - any implied license or other defenses to infringement that may - otherwise be available to you under applicable patent law. - . - 12. No Surrender of Others' Freedom. - . - If conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot convey a - covered work so as to satisfy simultaneously your obligations under this - License and any other pertinent obligations, then as a consequence you may - not convey it at all. For example, if you agree to terms that obligate you - to collect a royalty for further conveying from those to whom you convey - the Program, the only way you could satisfy both those terms and this - License would be to refrain entirely from conveying the Program. - . - 13. Remote Network Interaction; Use with the GNU General Public License. - . - Notwithstanding any other provision of this License, if you modify the - Program, your modified version must prominently offer all users - interacting with it remotely through a computer network (if your version - supports such interaction) an opportunity to receive the Corresponding - Source of your version by providing access to the Corresponding Source - from a network server at no charge, through some standard or customary - means of facilitating copying of software. This Corresponding Source - shall include the Corresponding Source for any work covered by version 3 - of the GNU General Public License that is incorporated pursuant to the - following paragraph. - . - Notwithstanding any other provision of this License, you have - permission to link or combine any covered work with a work licensed - under version 3 of the GNU General Public License into a single - combined work, and to convey the resulting work. The terms of this - License will continue to apply to the part which is the covered work, - but the work with which it is combined will remain governed by version - 3 of the GNU General Public License. - . - 14. Revised Versions of this License. - . - The Free Software Foundation may publish revised and/or new versions of - the GNU Affero General Public License from time to time. Such new versions - will be similar in spirit to the present version, but may differ in detail to - address new problems or concerns. - . - Each version is given a distinguishing version number. If the - Program specifies that a certain numbered version of the GNU Affero General - Public License "or any later version" applies to it, you have the - option of following the terms and conditions either of that numbered - version or of any later version published by the Free Software - Foundation. If the Program does not specify a version number of the - GNU Affero General Public License, you may choose any version ever published - by the Free Software Foundation. - . - If the Program specifies that a proxy can decide which future - versions of the GNU Affero General Public License can be used, that proxy's - public statement of acceptance of a version permanently authorizes you - to choose that version for the Program. - . - Later license versions may give you additional or different - permissions. However, no additional obligations are imposed on any - author or copyright holder as a result of your choosing to follow a - later version. - . - 15. Disclaimer of Warranty. - . - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY - APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT - HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY - OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, - THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM - IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP +License: GPL-3+-with-additional-terms-1 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + . + ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + . + 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its + entirety and replaced with the following: + . + 15. Disclaimer of Warranty. + . + THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING + DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR + REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 16. Limitation of Liability. + 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its + entirety and replaced with the following: . - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING - WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS - THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY - GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE - USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF - DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD - PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), - EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. + 16. LIMITATION OF LIABILITY. . - 17. Interpretation of Sections 15 and 16. + UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY + OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE + LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY + DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, + INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN + CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH + THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE + PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER + OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH + DAMAGES COULD HAVE BEEN FORESEEN. . - If the disclaimer of warranty and limitation of liability provided - above cannot be given local legal effect according to their terms, - reviewing courts shall apply local law that most closely approximates - an absolute waiver of all civil liability in connection with the - Program, unless a warranty or assumption of liability accompanies a - copy of the Program in return for a fee. + 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully + all trademark, copyright and other proprietary and legal notices on any copies + of the Program or any other required author attributions. This license does not + grant you rights to use any copyright holder or any other party's name, logo, or + trademarks. Neither the name of the copyright holder or its affiliates, or any + other party who modifies and/or conveys the Program may be used to endorse or + promote products derived from this software without specific prior written + permission. The origin of the Program must not be misrepresented; you must not + claim that you wrote the original Program. Altered source versions must be + plainly marked as such, and must not be misrepresented as being the original + Program. . - END OF TERMS AND CONDITIONS - . - How to Apply These Terms to Your New Programs - . - If you develop a new program, and you want it to be of the greatest - possible use to the public, the best way to achieve this is to make it - free software which everyone can redistribute and change under these terms. - . - To do so, attach the following notices to the program. It is safest - to attach them to the start of each source file to most effectively - state the exclusion of warranty; and each file should have at least - the "copyright" line and a pointer to where the full notice is found. - . - - Copyright (C) - . - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - . - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . - . - Also add information on how to contact you by electronic and paper mail. - . - If your software can interact with users remotely through a computer - network, you should also make sure that it provides a way for users to - get its source. For example, if your program is a web application, its - interface could display a "Source" link that leads users to an archive - of the code. There are many ways you could offer source, and different - solutions will be better for different programs; see section 13 for the - specific requirements. - . - You should also get your employer (if you work as a programmer) or school, - if any, to sign a "copyright disclaimer" for the program, if necessary. - For more information on this, and how to apply and follow the GNU AGPL, see - . + 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT + OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, + YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND + AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF + ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE + ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR + IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index 4804b3e..58b7bb3 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,7 +1,7 @@ #!/bin/bash -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 -genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation" +genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file" diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in deleted file mode 100644 index 2d13c3f..0000000 --- a/debian/po/POTFILES.in +++ /dev/null @@ -1 +0,0 @@ -[type: gettext/rfc822deb] security-misc-shared.templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot deleted file mode 100644 index 6d99cfe..0000000 --- a/debian/po/templates.pot +++ /dev/null @@ -1,36 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the security-misc-shared package. -# FIRST AUTHOR , YEAR. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: security-misc-shared\n" -"Report-Msgid-Bugs-To: security-misc-shared@packages.debian.org\n" -"POT-Creation-Date: 2025-01-14 09:31-0500\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=CHARSET\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: note -#. Description -#: ../security-misc-shared.templates:1001 -msgid "Manual intervention may be required for permission-hardener update" -msgstr "" - -#. Type: note -#. Description -#: ../security-misc-shared.templates:1001 -msgid "" -"No need to panic. Nothing is broken. A rare condition has been encountered. " -"permission-hardener is being updated to fix a minor bug that caused " -"corruption in the permission-hardener state file. If you installed your own " -"custom permission-hardener configuration, some manual intervention may be " -"required. See: https://www.kicksecure.com/wiki/" -"SUID_Disabler_and_Permission_Hardener#fixing_state_files" -msgstr "" diff --git a/debian/rules b/debian/rules index ca5e85c..54cbfde 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc-desktop.install b/debian/security-misc-desktop.install deleted file mode 100755 index 609f3f7..0000000 --- a/debian/security-misc-desktop.install +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/dh-exec - -## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This file was generated using 'genmkfile debinstfile'. - -etc/bluetooth/30_security-misc.conf#security-misc-desktop => /etc/bluetooth/30_security-misc.conf -etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop -usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf -usr/lib/NetworkManager/conf.d/80_randomize-mac.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf -usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop => /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf diff --git a/debian/security-misc-server.install b/debian/security-misc-server.install deleted file mode 100755 index 5e86b45..0000000 --- a/debian/security-misc-server.install +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/dh-exec - -## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This file was generated using 'genmkfile debinstfile'. - -usr/libexec/security-misc/placeholder#security-misc-server => /usr/libexec/security-misc/placeholder diff --git a/debian/security-misc-shared.config b/debian/security-misc-shared.config deleted file mode 100755 index 71d7619..0000000 --- a/debian/security-misc-shared.config +++ /dev/null @@ -1,190 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh -fi - -source /usr/share/debconf/confmodule - -set -e - -## Not set by DPKG for '.config' script. -DPKG_MAINTSCRIPT_PACKAGE="security-misc-shared" -DPKG_MAINTSCRIPT_NAME="config" - -true " -##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -## NOTE: Code duplication. -## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.sh -## -## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. -## Therefore the code is duplicated here. -pkg_installed() { - local package_name dpkg_query_output - local requested_action status error_state - - package_name="$1" - ## Cannot use '&>' because it is a bashism. - dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true - ## dpkg_query_output Examples: - ## install ok half-configured - ## install ok installed - - requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}') - status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}') - error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}') - - if [ "$requested_action" = 'install' ]; then - true "$0: INFO: $package_name is installed, ok." - return 0 - fi - - true "$0: INFO: $package_name is not installed, ok." - return 1 -} - -check_migrate_permission_hardener_state() { - local pkg_list modified_pkg_data_str custom_hardening_arr config_file - - ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ ! -d '/var/lib/permission-hardener' ]; then - return 0 - fi - - local orig_hardening_arr custom_hardening_arr config_file custom_config_file - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then - return 0 - fi - mkdir --parents '/var/lib/security-misc/do_once' - - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - '/etc/permission-hardener.d/25_default_passwd.conf' - '/etc/permission-hardener.d/25_default_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' - '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' - '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' - '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' - '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/etc/permission-hardener.d/25_default_whitelist_mount.conf' - '/etc/permission-hardener.d/25_default_whitelist_pam.conf' - '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' - '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' - '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' - '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' - '/etc/permission-hardener.d/25_default_whitelist_spice.conf' - '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' - '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/etc/permission-hardener.d/20_user-sysmaint-split.conf' - '/etc/permission-hardener.d/30_ping.conf' - '/etc/permission-hardener.d/30_default.conf' - ) - - pkg_list=( "security-misc-shared" ) - if pkg_installed user-sysmaint-split ; then - pkg_list+=( "user-sysmaint-split" ) - fi - if pkg_installed anon-apps-config ; then - pkg_list+=( "anon-apps-config" ) - fi - - ## This will exit non-zero if some of the packages don't exist, but we - ## don't care. The packages that *are* installed will still be scanned. - modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true - - ## Example modified_pkg_data_str: - #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - - readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") - - ## If the above `dpkg --verify` command doesn't return any permission-hardener - ## related lines, the array will contain no meaningful info, just a single - ## blank element at the start. Set the array to be explicitly empty in - ## this scenario. - if [ -z "${custom_hardening_arr[0]}" ]; then - custom_hardening_arr=() - fi - - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - if [ -f "${config_file}" ]; then - custom_hardening_arr+=( "${config_file}" ) - fi - fi - done - - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - for custom_config_file in "${custom_hardening_arr[@]}"; do - if ! test -e "${custom_config_file}" ; then - echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'" - else - echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" - fi - done - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc-shared/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true - fi - - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" -} - -check_migrate_permission_hardener_state - -true "INFO: debhelper beginning here." - -#DEBHELPER# - -true "INFO: Done with debhelper." - -true " -##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -## Explicitly "exit 0", so eventually trapped errors can be ignored. -exit 0 diff --git a/debian/security-misc-shared.displace b/debian/security-misc-shared.displace deleted file mode 100644 index 29bac06..0000000 --- a/debian/security-misc-shared.displace +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -/etc/securetty.security-misc -/etc/security/faillock.conf.security-misc -/etc/usbguard/usbguard-daemon.conf.security-misc -/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc diff --git a/debian/security-misc-shared.gconf-defaults b/debian/security-misc-shared.gconf-defaults deleted file mode 100644 index b79536a..0000000 --- a/debian/security-misc-shared.gconf-defaults +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -/apps/nautilus/preview_sound never -/apps/nautilus/show_icon_text never -/apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc-shared.hide b/debian/security-misc-shared.hide deleted file mode 100644 index 7beb77e..0000000 --- a/debian/security-misc-shared.hide +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Allows users in the 'sudo' group to install Flatpak software without -## authorization. Breaks user/sysmaint separation, thus disabled. -/usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install deleted file mode 100755 index 4557c30..0000000 --- a/debian/security-misc-shared.install +++ /dev/null @@ -1,144 +0,0 @@ -#!/usr/bin/dh-exec - -## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This file was generated using 'genmkfile debinstfile'. - -etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared => /etc/apparmor.d/tunables/home.d/security-misc -etc/apt/apt.conf.d/40error-on-any#security-misc-shared => /etc/apt/apt.conf.d/40error-on-any -etc/apt/apt.conf.d/40sandbox#security-misc-shared => /etc/apt/apt.conf.d/40sandbox -etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared => /etc/default/grub.d/40_cpu_mitigations.cfg -etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared => /etc/default/grub.d/40_kernel_hardening.cfg -etc/default/grub.d/40_remount_secure.cfg#security-misc-shared => /etc/default/grub.d/40_remount_secure.cfg -etc/default/grub.d/40_signed_modules.cfg#security-misc-shared => /etc/default/grub.d/40_signed_modules.cfg -etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared => /etc/default/grub.d/41_quiet_boot.cfg -etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared => /etc/default/grub.d/41_recovery_restrict.cfg -etc/dracut.conf.d/30-security-misc.conf#security-misc-shared => /etc/dracut.conf.d/30-security-misc.conf -etc/gitconfig#security-misc-shared => /etc/gitconfig -etc/hide-hardware-info.d/30_default.conf#security-misc-shared => /etc/hide-hardware-info.d/30_default.conf -etc/kernel/postinst.d/30_remove-system-map#security-misc-shared => /etc/kernel/postinst.d/30_remove-system-map -etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_blacklist.conf -etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_conntrack.conf -etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_disable.conf -etc/profile.d/30_security-misc.sh#security-misc-shared => /etc/profile.d/30_security-misc.sh -etc/securetty.security-misc#security-misc-shared => /etc/securetty.security-misc -etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared => /etc/security-misc/emerg-shutdown/30_security_misc.conf -etc/security/access-security-misc.conf#security-misc-shared => /etc/security/access-security-misc.conf -etc/security/faillock.conf.security-misc#security-misc-shared => /etc/security/faillock.conf.security-misc -etc/security/limits.d/30_security-misc.conf#security-misc-shared => /etc/security/limits.d/30_security-misc.conf -etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared => /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml -etc/skel/.gnupg/gpg.conf#security-misc-shared => /etc/skel/.gnupg/gpg.conf -etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/ssh_config.d/30_security-misc.conf -etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/sshd_config.d/30_security-misc.conf -etc/sudoers.d/security-misc#security-misc-shared => /etc/sudoers.d/security-misc -etc/systemd/system/emergency.service.d/override.conf#security-misc-shared => /etc/systemd/system/emergency.service.d/override.conf -etc/systemd/system/rescue.service.d/override.conf#security-misc-shared => /etc/systemd/system/rescue.service.d/override.conf -etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:qubes -etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:sudo -etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared => /etc/usbguard/rules.d/30_security-misc.conf -etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared => /etc/usbguard/usbguard-daemon.conf.security-misc -usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared => /usr/bin/disabled-bluetooth-by-security-misc -usr/bin/disabled-cdrom-by-security-misc#security-misc-shared => /usr/bin/disabled-cdrom-by-security-misc -usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared => /usr/bin/disabled-cpumsr-by-security-misc -usr/bin/disabled-filesys-by-security-misc#security-misc-shared => /usr/bin/disabled-filesys-by-security-misc -usr/bin/disabled-firewire-by-security-misc#security-misc-shared => /usr/bin/disabled-firewire-by-security-misc -usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared => /usr/bin/disabled-framebuffer-by-security-misc -usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc -usr/bin/disabled-intelme-by-security-misc#security-misc-shared => /usr/bin/disabled-intelme-by-security-misc -usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared => /usr/bin/disabled-intelpmt-by-security-misc -usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared => /usr/bin/disabled-miscellaneous-by-security-misc -usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc -usr/bin/disabled-network-by-security-misc#security-misc-shared => /usr/bin/disabled-network-by-security-misc -usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared => /usr/bin/disabled-thunderbolt-by-security-misc -usr/bin/permission-hardener#security-misc-shared => /usr/bin/permission-hardener -usr/bin/remount-secure#security-misc-shared => /usr/bin/remount-secure -usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh#security-misc-shared => /usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh -usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh#security-misc-shared => /usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh -usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh#security-misc-shared => /usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh -usr/lib/issue.d/20_security-misc.issue#security-misc-shared => /usr/lib/issue.d/20_security-misc.issue -usr/lib/modules-load.d/30_security-misc.conf#security-misc-shared => /usr/lib/modules-load.d/30_security-misc.conf -usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf -usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf -usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf -usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf -usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf -usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf -usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_mount.conf -usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_pam.conf -usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf -usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf -usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf -usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf -usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf -usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_spice.conf -usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf -usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf -usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf -usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf -usr/lib/permission-hardener.d/30_default.conf#security-misc-shared => /usr/lib/permission-hardener.d/30_default.conf -usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf -usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf -usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared => /usr/lib/sysctl.d/30_silent-kernel-printk.conf -usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf -usr/lib/systemd/coredump.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/coredump.conf.d/30_security-misc.conf -usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/pstore.conf.d/30_security-misc.conf -usr/lib/systemd/system-preset/50-security-misc.preset#security-misc-shared => /usr/lib/systemd/system-preset/50-security-misc.preset -usr/lib/systemd/system/block-shutdown.service#security-misc-shared => /usr/lib/systemd/system/block-shutdown.service -usr/lib/systemd/system/emerg-shutdown.service#security-misc-shared => /usr/lib/systemd/system/emerg-shutdown.service -usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown-trigger.service -usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown.service -usr/lib/systemd/system/harden-module-loading.service#security-misc-shared => /usr/lib/systemd/system/harden-module-loading.service -usr/lib/systemd/system/haveged.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/haveged.service.d/30_security-misc.conf -usr/lib/systemd/system/hide-hardware-info.service#security-misc-shared => /usr/lib/systemd/system/hide-hardware-info.service -usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared => /usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service -usr/lib/systemd/system/panic-on-oops.service#security-misc-shared => /usr/lib/systemd/system/panic-on-oops.service -usr/lib/systemd/system/permission-hardener.service#security-misc-shared => /usr/lib/systemd/system/permission-hardener.service -usr/lib/systemd/system/proc-hidepid.service#security-misc-shared => /usr/lib/systemd/system/proc-hidepid.service -usr/lib/systemd/system/remount-secure.service#security-misc-shared => /usr/lib/systemd/system/remount-secure.service -usr/lib/systemd/system/remove-system-map.service#security-misc-shared => /usr/lib/systemd/system/remove-system-map.service -usr/lib/systemd/system/sysinit-post.target#security-misc-shared => /usr/lib/systemd/system/sysinit-post.target -usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf -usr/lib/systemd/system/user@.service.d/sysfs.conf#security-misc-shared => /usr/lib/systemd/system/user@.service.d/sysfs.conf -usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf -usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared => /usr/lib/udev/rules.d/95-emerg-shutdown.rules -usr/libexec/security-misc/askpass#security-misc-shared => /usr/libexec/security-misc/askpass -usr/libexec/security-misc/block-unsafe-logins#security-misc-shared => /usr/libexec/security-misc/block-unsafe-logins -usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller -usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => /usr/libexec/security-misc/disable-kernel-module-loading -usr/libexec/security-misc/echo-path#security-misc-shared => /usr/libexec/security-misc/echo-path -usr/libexec/security-misc/emerg-shutdown#security-misc-shared => /usr/libexec/security-misc/emerg-shutdown -usr/libexec/security-misc/ensure-shutdown#security-misc-shared => /usr/libexec/security-misc/ensure-shutdown -usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info -usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared => /usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown -usr/libexec/security-misc/mmap-rnd-bits#security-misc-shared => /usr/libexec/security-misc/mmap-rnd-bits -usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared => /usr/libexec/security-misc/pam-abort-on-locked-password -usr/libexec/security-misc/pam-info#security-misc-shared => /usr/libexec/security-misc/pam-info -usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x -usr/libexec/security-misc/pam_only_if_login#security-misc-shared => /usr/libexec/security-misc/pam_only_if_login -usr/libexec/security-misc/pam_only_if_su#security-misc-shared => /usr/libexec/security-misc/pam_only_if_su -usr/libexec/security-misc/panic-on-oops#security-misc-shared => /usr/libexec/security-misc/panic-on-oops -usr/libexec/security-misc/permission-lockdown#security-misc-shared => /usr/libexec/security-misc/permission-lockdown -usr/libexec/security-misc/remove-system.map#security-misc-shared => /usr/libexec/security-misc/remove-system.map -usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget -usr/share/doc/security-misc/fstab-vm#security-misc-shared => /usr/share/doc/security-misc/fstab-vm -usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override -usr/share/lintian/overrides/security-misc-shared#security-misc-shared => /usr/share/lintian/overrides/security-misc-shared -usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared => /usr/share/pam-configs/block-unsafe-logins-security-misc -usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared => /usr/share/pam-configs/console-lockdown-security-misc -usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared => /usr/share/pam-configs/faillock-preauth-security-misc -usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared => /usr/share/pam-configs/mkhomedir-security-misc -usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared => /usr/share/pam-configs/pam-abort-on-locked-password-security-misc -usr/share/pam-configs/umask-security-misc#security-misc-shared => /usr/share/pam-configs/umask-security-misc -usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared => /usr/share/pam-configs/unix-faillock-security-misc -usr/share/pam-configs/wheel-security-misc#security-misc-shared => /usr/share/pam-configs/wheel-security-misc -usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared => /usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc -usr/share/security-misc/dolphinrc#security-misc-shared => /usr/share/security-misc/dolphinrc -usr/share/security-misc/emerg-shutdown-initramfs.service#security-misc-shared => /usr/share/security-misc/emerg-shutdown-initramfs.service -usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared => /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf -usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared => /usr/share/security-misc/lkrg/lkrg-virtualbox -usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded#security-misc-shared => /usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded -usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded#security-misc-shared => /usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded -usr/share/security-misc/security-misc-memlockd.cfg#security-misc-shared => /usr/share/security-misc/security-misc-memlockd.cfg -usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c -var/cache/security-misc/state-files/placeholder#security-misc-shared => /var/cache/security-misc/state-files/placeholder diff --git a/debian/security-misc-shared.links b/debian/security-misc-shared.links deleted file mode 100644 index c3369df..0000000 --- a/debian/security-misc-shared.links +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh -/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/debian/security-misc-shared.maintscript b/debian/security-misc-shared.maintscript deleted file mode 100644 index f1c6114..0000000 --- a/debian/security-misc-shared.maintscript +++ /dev/null @@ -1,111 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -rm_conffile /etc/sudoers.d/umask-security-misc - -## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 -rm_conffile /etc/sysctl.d/sysrq.conf - -## https://github.com/Kicksecure/security-misc/pull/45 -rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info -rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown - -## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf -rm_conffile /etc/sysctl.d/fs_protected.conf -rm_conffile /etc/sysctl.d/kptr_restrict.conf -rm_conffile /etc/sysctl.d/suid_dumpable.conf -rm_conffile /etc/sysctl.d/harden_bpf.conf -rm_conffile /etc/sysctl.d/ptrace_scope.conf -rm_conffile /etc/sysctl.d/tcp_timestamps.conf -rm_conffile /etc/sysctl.d/mmap_aslr.conf -rm_conffile /etc/sysctl.d/dmesg_restrict.conf -rm_conffile /etc/sysctl.d/coredumps.conf -rm_conffile /etc/sysctl.d/kexec.conf -rm_conffile /etc/sysctl.d/tcp_hardening.conf -rm_conffile /etc/sysctl.d/tcp_sack.conf - -## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf -rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf -rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf -rm_conffile /etc/modprobe.d/vivid.conf -rm_conffile /etc/modprobe.d/blacklist-dma.conf -rm_conffile /etc/modprobe.d/msr.conf -rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf -rm_conffile /etc/modprobe.d/30_security-misc.conf - -## renamed to /etc/security/limits.d/30_security-misc.conf -rm_conffile /etc/security/limits.d/disable-coredumps.conf - -## moved to separate package ram-wipe -rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg - -rm_conffile /etc/X11/Xsession.d/50panic_on_oops -rm_conffile /etc/X11/Xsession.d/50security-misc - -## moved to /usr/lib/sysctl.d -rm_conffile /etc/sysctl.d/30_security-misc.conf -rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf -rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf - -## moved to /etc/permission-hardener.d -rm_conffile /etc/permission-hardening.d/25_default_passwd.conf -rm_conffile /etc/permission-hardening.d/25_default_sudo.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf -rm_conffile /etc/permission-hardening.d/30_default.conf - -## moved to /usr/lib/permission-hardener.d -rm_conffile /etc/permission-hardener.d/25_default_passwd.conf -rm_conffile /etc/permission-hardener.d/25_default_sudo.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf -rm_conffile /etc/permission-hardener.d/30_default.conf - -## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg -rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg -rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg -rm_conffile /etc/default/grub.d/40_enable_iommu.cfg - -## renamed to /etc/default/grub.d/40_remount_secure.cfg -rm_conffile /etc/default/grub.d/40_remmount-secure.cfg - -## renamed to /etc/default/grub.d/40_signed_modules.cfg -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - -## renamed to /etc/default/grub.d/41_quiet_boot.cfg -rm_conffile /etc/default/grub.d/41_quiet.cfg - -## moved to usability-misc -rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf - -## renamed to reflect the fact that this uses a whitelist -rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst deleted file mode 100755 index a246308..0000000 --- a/debian/security-misc-shared.postinst +++ /dev/null @@ -1,212 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh -fi - -## Required since this package uses debconf - this is mandatory even though -## the postinst itself does not use debconf commands. -source /usr/share/debconf/confmodule - -set -e - -true " -##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -permission_hardening_legacy_config_folder() { - if ! test -d /etc/permission-hardening.d ; then - return 0 - fi - rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true -} - -permission_hardening() { - echo "Running SUID Disabler and Permission Hardener... See also:" - echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" - echo "$0: INFO: running: permission-hardener enable" - if ! permission-hardener enable ; then - echo "$0: ERROR: Permission hardening failed." >&2 - return 0 - fi - echo "$0: INFO: Permission hardening success." -} - -fix_pkexec_remembered_permissions() { - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then - return 0 - fi - mkdir --parents '/var/lib/security-misc/do_once' - - if ! [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then - ## 'statoverride' file does not exist yet. Therefore no need to fix it using 'str_replace'. - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" - return 0 - fi - - ## The existing_mode database may incorrectly list the original permissions - ## of pkexec as '755'. They should be '4755'. Fix this with str_replace. If - ## this issue is not present, str_replace will do nothing. - str_replace 'root root 755 /usr/bin/pkexec' \ - 'root root 4755 /usr/bin/pkexec' \ - /var/lib/permission-hardener-v2/existing_mode/statoverride - - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" -} - -install_permission_hardener_base_state() { - local state_str - - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then - return 0 - fi - mkdir --parents '/var/lib/security-misc/do_once' - - if [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then - ## 'statoverride' file already exists. Therefore no need to pre-populate it. - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" - return 0 - fi - - mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode' - state_str="root root 644 /etc/passwd- -root root 755 /etc/cron.monthly -root root 755 /etc/sudoers.d -root shadow 2755 /usr/bin/expiry -root root 4755 /usr/bin/umount -root root 4755 /usr/bin/gpasswd -root root 755 /usr/lib/modules -root root 644 /etc/issue.net -root root 644 /etc/group- -root root 4755 /usr/bin/newgrp -root root 755 /etc/cron.weekly -root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 -root root 644 /etc/hosts.deny -root root 4755 /usr/bin/newgidmap -root root 644 /etc/issue.kicksecure -root root 4755 /usr/bin/pkexec -root root 4755 /usr/bin/su -root root 644 /etc/hosts.allow -root root 700 /root -root root 755 /etc/cron.daily -root root 644 /etc/motd -root root 4755 /usr/bin/newuidmap -root root 755 /boot -root root 755 /home -root shadow 2755 /usr/bin/chage -root root 4755 /usr/lib/openssh/ssh-keysign -root root 4755 /usr/bin/ntfs-3g -root root 4755 /usr/bin/chsh -root root 644 /etc/motd.kicksecure -root root 755 /usr/bin/su-to-root -root root 4755 /usr/bin/passwd -root root 4755 /usr/bin/chfn -root root 644 /etc/group -root root 4755 /usr/bin/sudo -root root 644 /etc/passwd -root root 755 /usr/src -root root 4755 /usr/bin/mount -root root 644 /etc/issue -root root 755 /etc/cron.d" - - printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride - - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" -} - -case "$1" in - configure) - if [ -d /etc/skel/.gnupg ]; then - ## Lintian warns against use of chmod --recursive. - chmod 700 /etc/skel/.gnupg - fi - - ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override - glib-compile-schemas /usr/share/glib-2.0/schemas || true - - ## state dir for PAM 'faillock' - mkdir -p /var/lib/security-misc/faillock - - ## Fix pkexec remembered permissions if necessary. - fix_pkexec_remembered_permissions - - ## Pre-populate permission-hardener state on first postinst run. - ## Necessary because the first permission-hardener run may occur - ## before all permissions are set properly by package postinst - ## scripts. In particular, pkexec is not SUID-root until after its - ## postinst runs. - install_permission_hardener_base_state - - ## Fix usbguard config permissions, this seemingly can't be done - ## during the unpack stage - usbguard_config_file_list=( - '/etc/usbguard/rules.d/30_security-misc.conf' - '/etc/usbguard/usbguard-daemon.conf.security-misc' - '/etc/usbguard/IPCAccessControl.d/:sudo' - '/etc/usbguard/IPCAccessControl.d/:qubes' - ) - for usbguard_config_file in "${usbguard_config_file_list[@]}"; do - if test -f "${usbguard_config_file}"; then - chmod 0600 "${usbguard_config_file}" - fi - done - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - triggered) - echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" - /usr/share/security-misc/lkrg/lkrg-virtualbox || true - /usr/libexec/security-misc/mmap-rnd-bits || true - permission_hardening - exit 0 - ;; - - *) - echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -pam-auth-update --package - -/usr/libexec/security-misc/permission-lockdown - -permission_hardening - -## https://phabricator.whonix.org/T377 -## Debian has no update-grub trigger yet: -## https://bugs.debian.org/481542 -if command -v update-grub >/dev/null 2>&1; then - update-grub || \ - echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \ -'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \ -likely only the trigger, not the cause. Unless you know this is not an issue, \ -you should fix running 'update-grub', otherwise your system might no longer \ -boot." >&2 -fi - -/usr/libexec/security-misc/mmap-rnd-bits || true - -true "INFO: debhelper beginning here." - -#DEBHELPER# - -true "INFO: Done with debhelper." - -permission_hardening_legacy_config_folder - -true " -##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -## Explicitly "exit 0", so eventually trapped errors can be ignored. -exit 0 diff --git a/debian/security-misc-shared.templates b/debian/security-misc-shared.templates deleted file mode 100644 index d45dfa1..0000000 --- a/debian/security-misc-shared.templates +++ /dev/null @@ -1,9 +0,0 @@ -Template: security-misc-shared/alert-on-permission-hardener-v2-upgrade -Type: note -_Description: Manual intervention may be required for permission-hardener update - No need to panic. Nothing is broken. A rare condition has been encountered. - permission-hardener is being updated to fix a minor bug that caused - corruption in the permission-hardener state file. If you installed your own - custom permission-hardener configuration, some manual intervention may be - required. See: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files diff --git a/debian/security-misc-shared.triggers b/debian/security-misc-shared.triggers deleted file mode 100644 index 1f4a592..0000000 --- a/debian/security-misc-shared.triggers +++ /dev/null @@ -1,16 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## use noawait -## https://github.com/Kicksecure/security-misc/issues/196 - -## Trigger permission hardener when new binaries are being installed. -interest-noawait /usr -interest-noawait /opt - -## Trigger permission hardener when new configuration files are being installed. -interest-noawait /usr/lib/permission-hardener.d -interest-noawait /etc/permission-hardener.d -interest-noawait /usr/local/etc/permission-hardener.d -interest-noawait /etc/permission-hardening.d -interest-noawait /usr/local/etc/permission-hardening.d diff --git a/debian/security-misc-shared.undisplace b/debian/security-misc-shared.undisplace deleted file mode 100644 index 990101a..0000000 --- a/debian/security-misc-shared.undisplace +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -/etc/login.defs.security-misc -/usr/bin/pkexec.security-misc -/etc/dkms/framework.conf.security-misc diff --git a/debian/security-misc.displace b/debian/security-misc.displace new file mode 100644 index 0000000..b7cba93 --- /dev/null +++ b/debian/security-misc.displace @@ -0,0 +1,6 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +/etc/securetty.security-misc +/etc/security/faillock.conf.security-misc +/etc/dkms/framework.conf.security-misc diff --git a/debian/security-misc-shared.displace-extension b/debian/security-misc.displace-extension similarity index 100% rename from debian/security-misc-shared.displace-extension rename to debian/security-misc.displace-extension diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults new file mode 100644 index 0000000..26d57ff --- /dev/null +++ b/debian/security-misc.gconf-defaults @@ -0,0 +1,3 @@ +/apps/nautilus/preview_sound never +/apps/nautilus/show_icon_text never +/apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc.install b/debian/security-misc.install new file mode 100644 index 0000000..2748341 --- /dev/null +++ b/debian/security-misc.install @@ -0,0 +1,9 @@ +## Copyright (C) 2020 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## This file was generated using genmkfile 'make debinstfile'. + +etc/* +lib/* +usr/* +var/* diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript new file mode 100644 index 0000000..dce7414 --- /dev/null +++ b/debian/security-misc.maintscript @@ -0,0 +1,39 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +rm_conffile /etc/sudoers.d/umask-security-misc + +## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg + +## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 +rm_conffile /etc/sysctl.d/sysrq.conf + +## https://github.com/Whonix/security-misc/pull/45 +rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info +rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown + +## merged into 1 file /etc/sysctl.d/30_security-misc.conf +rm_conffile /etc/sysctl.d/fs_protected.conf +rm_conffile /etc/sysctl.d/kptr_restrict.conf +rm_conffile /etc/sysctl.d/suid_dumpable.conf +rm_conffile /etc/sysctl.d/harden_bpf.conf +rm_conffile /etc/sysctl.d/ptrace_scope.conf +rm_conffile /etc/sysctl.d/tcp_timestamps.conf +rm_conffile /etc/sysctl.d/mmap_aslr.conf +rm_conffile /etc/sysctl.d/dmesg_restrict.conf +rm_conffile /etc/sysctl.d/coredumps.conf +rm_conffile /etc/sysctl.d/kexec.conf +rm_conffile /etc/sysctl.d/tcp_hardening.conf +rm_conffile /etc/sysctl.d/tcp_sack.conf + +## merged into 1 file /etc/modprobe.d/30_security-misc.conf +rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf +rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf +rm_conffile /etc/modprobe.d/vivid.conf +rm_conffile /etc/modprobe.d/blacklist-dma.conf +rm_conffile /etc/modprobe.d/msr.conf +rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf + +## renamed to /etc/security/limits.d/30_security-misc.conf +rm_conffile /etc/security/limits.d/disable-coredumps.conf diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst new file mode 100644 index 0000000..cd4bf19 --- /dev/null +++ b/debian/security-misc.postinst @@ -0,0 +1,73 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh +fi + +set -e + +true " +##################################################################### +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +##################################################################### +" + +case "$1" in + configure) + if [ -d /etc/skel/.gnupg ]; then + ## Lintian warns against use of chmod --recursive. + chmod 700 /etc/skel/.gnupg + fi + + ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override + glib-compile-schemas /usr/share/glib-2.0/schemas || true + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + triggered) + echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" + /usr/share/security-misc/lkrg/lkrg-virtualbox || true + exit 0 + ;; + + *) + echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +pam-auth-update --package + +/usr/libexec/security-misc/permission-lockdown + +## https://phabricator.whonix.org/T377 +## Debian has no update-grub trigger yet: +## https://bugs.debian.org/481542 +if command -v update-grub >/dev/null 2>&1; then + update-grub || \ + echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \ +'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \ +likely only the trigger, not the cause. Unless you know this is not an issue, \ +you should fix running 'update-grub', otherwise your system might no longer \ +boot." >&2 +fi + +true "INFO: debhelper beginning here." + +#DEBHELPER# + +true "INFO: Done with debhelper." + +true " +##################################################################### +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +##################################################################### +" + +## Explicitly "exit 0", so eventually trapped errors can be ignored. +exit 0 diff --git a/debian/security-misc-shared.postrm b/debian/security-misc.postrm old mode 100755 new mode 100644 similarity index 88% rename from debian/security-misc-shared.postrm rename to debian/security-misc.postrm index 13dc588..80a0726 --- a/debian/security-misc-shared.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then @@ -18,8 +18,6 @@ true " ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11 pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE" -rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf - true "INFO: debhelper beginning here." #DEBHELPER# diff --git a/debian/security-misc-shared.preinst b/debian/security-misc.preinst old mode 100755 new mode 100644 similarity index 80% rename from debian/security-misc-shared.preinst rename to debian/security-misc.preinst index 93d8b2f..f8c516d --- a/debian/security-misc-shared.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then @@ -20,20 +20,9 @@ user_groups_modifications() { addgroup --system sysfs addgroup --system cpuinfo - ## /usr/lib/systemd/system/proc-hidepid.service - addgroup --system proc - - ## Avoid 'debian/control' file 'Depends:' 'sudo'. - ## - ## Could use '/usr/libexec/helper-scripts/user_create.bsh' in preinst? Looks more complex. Avoided. - ## group 'sudo' is not a system group. - #addgroup --system sudo - ## Function 'is_group' is complex. Hence, use '2>/dev/null || true'. - addgroup sudo 2>/dev/null || true - ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc - adduser root sudo + addgroup root sudo ## Useful to create groups in preinst rather than postinst. ## Otherwise if a user saw an error message such as this: @@ -55,15 +44,15 @@ user_groups_modifications() { ## an "empty" /etc/securetty. ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: - ## https://www.kicksecure.com/wiki/Root#Root_Login - adduser root console + ## https://www.whonix.org/wiki/Root#Root_Login + addgroup root console } output_skip_checks() { - echo "security-misc-shared '$0' INFO: Allow installation of security-misc-shared anyway." >&2 - echo "security-misc-shared '$0' INFO: (technical reason: $@)" >&2 - echo "security-misc-shared '$0' INFO: If this is a chroot this is probably OK." >&2 - echo "security-misc-shared '$0' INFO: Otherwise you might not be able to login." >&2 + echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2 + echo "security-misc '$0' INFO: (technical reason: $@)" >&2 + echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2 + echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2 } sudo_users_check () { @@ -104,15 +93,14 @@ sudo_users_check () { ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - echo "$0: ERROR: No account is a member of group 'sudo'. Installation aborted." >&2 + echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 - echo "$0: NOTE: Replace account 'user' with your actual Linux user account name." >&2 echo "" >&2 echo "sudo adduser user sudo" >&2 echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.kicksecure.com/wiki/security-misc#install" >&2 + echo "https://www.whonix.org/wiki/security-misc#install" >&2 if [ "$SECURITY_MISC_INSTALL" = "force" ]; then output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." @@ -154,7 +142,7 @@ console_users_check() { for user_with_console in $console_users $console_unrestricted_users ; do if [ "$user_with_console" = "root" ]; then ## root login is also restricted. - ## Therefore account "root" being member of group "console" is + ## Therefore user "root" being member of group "console" is ## considered insufficient. continue fi @@ -171,7 +159,7 @@ console_users_check() { return 0 fi - echo "$0: ERROR: No account is a member of group 'console'. Installation aborted." >&2 + echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 echo "" >&2 echo "sudo adduser user console" >&2 @@ -221,11 +209,11 @@ legacy() { user_to_be_created=user if ! id "$user_to_be_created" &>/dev/null ; then - true "INFO: Account '$user_to_be_created' does not exist. Skipping adding account '$user_to_be_created' to group 'console' and also skipping 'pam-auth-update --enable console-lockdown-security-misc'." + true "INFO: user '$user_to_be_created' does not exist. Skipping addgroup console and pam-auth-update." return 0 fi - adduser "$user_to_be_created" console + addgroup "$user_to_be_created" console pam-auth-update --enable console-lockdown-security-misc diff --git a/debian/security-misc-shared.prerm b/debian/security-misc.prerm old mode 100755 new mode 100644 similarity index 92% rename from debian/security-misc-shared.prerm rename to debian/security-misc.prerm index 1c4cd87..d5a120c --- a/debian/security-misc-shared.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers new file mode 100644 index 0000000..3c09f14 --- /dev/null +++ b/debian/security-misc.triggers @@ -0,0 +1,15 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +#### meta start +#### project Whonix +#### category security +#### description + +## Activate initramfs hook that sets the sysctl values before init is executed. +activate-noawait update-initramfs + +## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox +interest-noawait /usr/bin/vboxmanage + +#### meta end diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace new file mode 100644 index 0000000..ef0fd76 --- /dev/null +++ b/debian/security-misc.undisplace @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +/etc/login.defs.security-misc +/usr/bin/pkexec.security-misc diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index c657565..942fd18 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,2 +1,2 @@ ## https://phabricator.whonix.org/T277 -debian-watch-does-not-check-openpgp-signature +debian-watch-does-not-check-gpg-signature diff --git a/debian/watch b/debian/watch index ea85f6b..af1173f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,6 +1,6 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/security-misc-$1\.tar\.gz/ \ - https://github.com/Kicksecure/security-misc/tags .*/v?(\d\S+)\.tar\.gz + https://github.com/Whonix/security-misc/tags .*/v?(\d\S+)\.tar\.gz diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops new file mode 100755 index 0000000..81d9a9f --- /dev/null +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -0,0 +1,8 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if [ -x /usr/libexec/security-misc/panic-on-oops ]; then + sudo --non-interactive /usr/libexec/security-misc/panic-on-oops +fi diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc new file mode 100755 index 0000000..829fe74 --- /dev/null +++ b/etc/X11/Xsession.d/50security-misc @@ -0,0 +1,9 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS=/etc/xdg +fi +export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS diff --git a/etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared b/etc/apparmor.d/tunables/home.d/security-misc similarity index 62% rename from etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared rename to etc/apparmor.d/tunables/home.d/security-misc index d63d5db..8795ef4 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, +alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc, alias /etc/login.defs -> /etc/login.defs.security-misc, alias /etc/securetty -> /etc/securetty.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any#security-misc-shared b/etc/apt/apt.conf.d/40error-on-any similarity index 84% rename from etc/apt/apt.conf.d/40error-on-any#security-misc-shared rename to etc/apt/apt.conf.d/40error-on-any index f1be472..e9357e6 100644 --- a/etc/apt/apt.conf.d/40error-on-any#security-misc-shared +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox#security-misc-shared b/etc/apt/apt.conf.d/40sandbox similarity index 65% rename from etc/apt/apt.conf.d/40sandbox#security-misc-shared rename to etc/apt/apt.conf.d/40sandbox index 43150ec..2a66799 100644 --- a/etc/apt/apt.conf.d/40sandbox#security-misc-shared +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/bluetooth/30_security-misc.conf#security-misc-desktop b/etc/bluetooth/30_security-misc.conf#security-misc-desktop deleted file mode 100644 index 8de8384..0000000 --- a/etc/bluetooth/30_security-misc.conf#security-misc-desktop +++ /dev/null @@ -1,28 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[General] -# How long to stay in pairable mode before going back to non-discoverable -# The value is in seconds. Default is 0. -# 0 = disable timer, i.e. stay pairable forever -PairableTimeout = 30 - -# How long to stay in discoverable mode before going back to non-discoverable -# The value is in seconds. Default is 180, i.e. 3 minutes. -# 0 = disable timer, i.e. stay discoverable forever -DiscoverableTimeout = 30 - -# Maximum number of controllers allowed to be exposed to the system. -# Default=0 (unlimited) -MaxControllers=1 - -[Policy] -# AutoEnable defines option to enable all controllers when they are found. -# This includes adapters present on start as well as adapters that are plugged -# in later on. Defaults to 'true'. -AutoEnable=false - -# network/on: A device will only accept advertising packets from peer -# devices that contain private addresses. It may not be compatible with some -# legacy devices since it requires the use of RPA(s) all the time. -Privacy=network/on diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg new file mode 100644 index 0000000..5bd25f7 --- /dev/null +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -0,0 +1,42 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Enables all mitigations for CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 + +## Enable all mitigations for Spectre Variant 2. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" + +## Disable Speculative Store Bypass. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" + +## Disable TSX, enable all mitigations for the TSX Async Abort +## vulnerability and disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" + +## Enable all mitigations for the MDS vulnerability and disable +## SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## Enable all mitigations for the L1TF vulnerability and disable SMT +## and L1D flush runtime control. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" + +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared deleted file mode 100644 index 10f3af0..0000000 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ /dev/null @@ -1,231 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Enable known mitigations for CPU vulnerabilities. -## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 - -## Check for potential updates directly from AMD and Intel. -## https://www.amd.com/en/resources/product-security.html -## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html -## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html - -## Tabular comparison between the utility and functionality of various mitigations. -## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 - -## For complete protection, users must install the latest relevant security microcode update. -## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers. -## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. -## The parameters below only provide (partial) protection at both the kernel and user space level. - -## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. -## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. -## If using compatible hardware, the database can be updated directly in user space using fwupd. -## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. -## https://github.com/microsoft/secureboot_objects -## https://uefi.org/revocationlistfile -## https://github.com/fwupd/fwupd - -## Enable a subset of known default mitigations for some CPU vulnerabilities and disable SMT. -## Note that this redundant parameter simply applies each mitigation at the already applied default settings. -## The default values are not always the strictest and so we reapply each below to their highest setting. -## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations. -## -## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859 -## https://github.com/secureblue/secureblue/issues/1405 -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html -## -## KSPP=yes -## KSPP sets the kernel parameters. -## -## WARNING: Do not rely on this parameter, it is presented here only for educational purposes. -## WARNING: Parameters are applied consecutively and so do not ever move this setting down. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" - -## Disable SMT as it has been the cause of and amplified numerous CPU exploits. -## The only full mitigation of cross-HT attacks is to disable SMT. -## Disabling will significantly decrease system performance on multi-threaded tasks. -## Note, this setting will prevent re-enabling SMT via the sysfs interface. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 -## -## KSPP=yes -## KSPP sets the kernel parameter. -## -## To re-enable SMT: -## - Remove "nosmt=force". -## - Remove all occurrences of ",nosmt" in this file (note the comma ","). -## - Downgrade "l1tf=full,force" protection to "l1tf=flush". -## - Regenerate the dracut initramfs and then reboot system. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## Spectre Side Channels (BTI and BHI): -## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). -## Enable mitigation for the Intel branch history injection vulnerability. -## Currently affects both AMD and Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" - -## Meltdown: -## Mitigate Spectre Variant 3 using kernel page table isolation (PTI). -## Force enable PTI of user and kernel address spaces on all cores. -## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on". -## Currently affects ARM64 CPUs. -## -## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) -## https://en.wikipedia.org/wiki/Kernel_page-table_isolation -## -## KSPP=yes -## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1" - -## Speculative Store Bypass (SSB): -## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. -## Unconditionally enable the mitigation for both kernel and userspace. -## Currently affects AMD, ARM64, and Intel CPUs. -## -## https://en.wikipedia.org/wiki/Speculative_Store_Bypass -## https://www.suse.com/support/kb/doc/?id=000019189 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" - -## L1 Terminal Fault (L1TF): -## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. -## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" - -## Microarchitectural Data Sampling (MDS): -## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" - -## TSX Asynchronous Abort (TAA): -## Mitigate the vulnerability by disabling TSX. -## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" - -## iTLB Multihit: -## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" - -## Special Register Buffer Data Sampling (SRBDS): -## Mitigation of the vulnerability is only possible via microcode update from Intel. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html -## https://access.redhat.com/solutions/5142691 - -## L1D Flushing: -## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" - -## Processor MMIO Stale Data: -## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" - -## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): -## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. -## Currently affects both AMD Zen 1-2 and Intel CPUs. -## -## https://en.wikipedia.org/wiki/Retbleed -## https://comsec.ethz.ch/research/microarch/retbleed/ -## https://www.suse.com/support/kb/doc/?id=000020693 -## https://access.redhat.com/solutions/retbleed -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" - -## Cross-Thread Return Address Predictions: -## Mitigate the vulnerability for certain KVM hypervisor configurations. -## Currently affects AMD Zen 1-2 CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" - -## Speculative Return Stack Overflow (SRSO): -## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. -## Currently affects AMD Zen 1-4 CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html -## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## Using "spec_rstack_overflow=ibpb" may provide superior protection to the default software-based approach. -## The use of hardware barriers may be more effective while possibly incurring a greater performance loss. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" - -## Gather Data Sampling (GDS): -## Mitigate the vulnerability either via microcode update or by disabling AVX. -## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" - -## Register File Data Sampling (RFDS): -## Mitigate the vulnerability by appropriately clearing the CPU buffer. -## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" - -## Indirect Target Selection (ITS): -## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force" - -## VMScape: -## Mitigate the vulnerability by flushing branch predictors before returning to userspace when exiting guests. -## Comprehensive protection may also require disabling SMT to limit cross-thread attacks. -## Currently affects both AMD and Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vmscape=force" diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg new file mode 100644 index 0000000..40a759a --- /dev/null +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -0,0 +1,11 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Distrusts the CPU for initial entropy at boot as it is not possible to +## audit, may contain weaknesses or a backdoor. +## +## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://twitter.com/pid_eins/status/1149649806056280069 +## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html +## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg new file mode 100644 index 0000000..14d1869 --- /dev/null +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -0,0 +1,12 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Enables IOMMU to prevent DMA attacks. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" + +## Disable the busmaster bit on all PCI bridges during very +## early boot to avoid holes in IOMMU. +## +## https://mjg59.dreamwidth.org/54433.html +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg new file mode 100644 index 0000000..64d85a7 --- /dev/null +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -0,0 +1,73 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +kpkg="linux-image-$(dpkg --print-architecture)" || true +kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true +#echo "## kver: $kver" + +## Disables the merging of slabs of similar sizes. +## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" + +if dpkg --compare-versions "$kver" ge "5.3"; then + ## Enables sanity checks (F) and redzoning (Z). + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" + + #echo "## $kver grater or equal 5.3: yes" + ## Zero memory at allocation and free time. + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" +else + #echo "## $kver grater or equal 5.3: no" + ## SLUB poisoning and page poisoning is used if the kernel + ## does not yet support init_on_{,alloc,free}. + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP" + + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 + true "skip adding page_poison=1 in Qubes" + else + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" + fi +fi + +## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" + +## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" + +## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" + +## Enables page allocator freelist randomization. +if dpkg --compare-versions "${kver}" ge "5.2"; then + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" +fi + +## Enables kernel lockdown. +## +## Disabled for now as it enforces module signature verification which breaks +## too many things. +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi + +## Gather more entropy during boot. +## +## Requires linux-hardened kernel patch. +## https://github.com/anthraxx/linux-hardened +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 +## LANG=C str_replace is provided by package helper-scripts. +## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" + +## Restrict access to debugfs since it can contain a lot of sensitive information. +## https://lkml.org/lkml/2020/7/16/122 +## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared deleted file mode 100644 index 4407b16..0000000 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ /dev/null @@ -1,440 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -kpkg="linux-image-$(dpkg --print-architecture)" || true -kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true -#echo "## kver: $kver" - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## This configuration file is split into 4 sections: -## 1. Kernel Space -## 2. Direct Memory Access -## 3. Entropy -## 4. Networking - -## See the documentation below for details on the majority of the selected commands: -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html -## https://wiki.archlinux.org/title/Kernel_parameters#GRUB - -## 1. Kernel Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters -## https://kspp.github.io/Recommended_Settings#kernel-command-line-options - -## Disable merging of slabs with similar size. -## Reduces the risk of triggering heap overflows. -## Prevents overwriting objects from merged caches and limits influencing slab cache layout. -## -## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 -## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 -## -## KSPP=yes -## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" - -## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption. -## Sanity checks force additional verification steps on every memory allocation and free operation. -## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries. -## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled. -## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root. -## Introduces a noticeable performance overhead during all memory allocation and deallocation operations. -## -## https://www.kernel.org/doc/html/latest/mm/slub.html -## https://www.kernel.org/doc/Documentation/vm/slub.txt -## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u -## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2 -## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 -## https://github.com/Kicksecure/security-misc/issues/253 -## -## KSPP=partial -## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. -## -## TODO: Debian forky / 14 -## The first parameter is applicable when using Linux kernel >= 6.17 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX hash_pointers=always" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" - -## Zero memory at allocation time and free time. -## Fills newly allocated pages, freed pages, and heap objects with zeros. -## Mitigates use-after-free exploits by erasing sensitive information in memory. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef -## -## KSPP=yes -## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" - -## Enable the kernel page allocator to randomize free lists. -## During early boot, the page allocator has predictable FIFO behavior for physical pages. -## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. -## Also improves performance by optimizing memory-side cache utilization. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 -## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" - -## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability. -## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1". -## -## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) -## https://en.wikipedia.org/wiki/Kernel_page-table_isolation -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" - -## Enable randomization of the kernel stack offset on syscall entries. -## Hardens against memory corruption attacks due to increased entropy. -## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. -## -## https://lkml.org/lkml/2019/3/18/246 -## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" - -## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. -## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. -## -## https://lwn.net/Articles/446528/ -## https://en.wikipedia.org/wiki/VDSO -## -## KSPP=yes -## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" - -## Restrict access to debugfs by not registering the file system. -## Deactivated since the file system can contain sensitive information. -## -## https://lkml.org/lkml/2020/7/16/122 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" - -## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. -## Panics may be due to false-positives such as bad drivers. -## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. -## Oopses are serious but non-fatal errors. -## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. -## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. -## -## https://en.wikipedia.org/wiki/Kernel_panic#Linux -## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://lwn.net/Articles/876209/ -## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 -## -## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y. -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1" - -## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial of service attacks as system automatically restarts. -## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. -## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. -## -## KSPP=yes -## KSPP sets CONFIG_PANIC_TIMEOUT=-1. -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" - -## Force the kernel to immediately panic if it becomes tainted. -## Using kernel documentation, one can select a subset of taints to create a security policy. -## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask. -## Some example combinations are shown below. -## S - Panic on using out of specification hardware: 4 = 0x4. -## B - On the above and bad page faults or some unexpected page flags: 36 = 0x24. -## A - On the above and ACPI tables are overridden by users: 292 = 0x124. -## I - On the above and severe firmware bugs: 2340 = 0x924. -## N - On the above and in-kernel tests have been run: 264484 = 0x40924. -## J - On the above and userspace has used a mutating debug operation in fwctl: 788772 = 0xC0924. -## G/P, O - On the above and the loading of proprietary or out-of-tree modules: 792869 = 0xC1925. -## All must first be tested to ensure there are no pre-existing issues on user hardware. -## After confirming stability this reduces attack surface. -## -## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html -## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US -## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/ -## https://github.com/Kicksecure/security-misc/pull/339 -## -## Note that this must be used with panic=-1 for it to function as intended. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_taint=0xC0924" - -## Prevent sensitive kernel information leaks in the console during boot. -## Must be used in combination with the kernel.printk sysctl. -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## https://wiki.archlinux.org/title/silent_boot -## -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" - -## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. -## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. -## Aims to have very low processing overhead at each sampling interval. -## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. -## -## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html -## https://google.github.io/kernel-sanitizers/KFENCE.html -## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 -## https://lwn.net/Articles/835542/ -## -## KSPP=yes -## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" - -## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. -## Legacy compatibility feature for superseded glibc versions. -## -## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ -## https://lists.openwall.net/linux-kernel/2014/03/11/3 -## -## KSPP=yes -## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. -## -## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" - -## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## The default implementation is FineIBT as of Linux kernel 6.2. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. -## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in some performance benefits as it only performs hash checks at the destinations. -## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass. -## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. -## -## https://lwn.net/Articles/891976/ -## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u -## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ -## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ -## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ -## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ -## https://docs.kernel.org/next/x86/shstk.html -## https://source.android.com/docs/security/test/kcfi -## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf -## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 -## -## KSPP=yes -## KSPP sets the kernel parameter. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" - -## Disable support for all 32-bit x86 processes and syscalls. -## Unconditionally disables IA32 emulation to substantially reduce attack surface. -## -## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ -## -## KSPP=yes -## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" - -## Disable EFI persistent storage feature. -## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth. -## Prevents the kernel from writing crash logs and other persistent data to the storage backend. -## Both the UEFI variable storage and ACPI ERST backends are deactivated. -## -## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system -## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ -## https://lwn.net/Articles/434821/ -## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html -## https://gitlab.tails.boum.org/tails/tails/-/issues/20813 -## https://github.com/Kicksecure/security-misc/issues/299 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" - -## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). -## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks. -## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation. -## SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits. -## SEV-SNP (Secure Nested Paging) extends SEV by activating hardware-level memory integrity. -## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). -## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. -## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. -## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI. -## May cause boot failure on certain hardware with incompatible DMA masks especially if IOMMU is disabled. -## -## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html -## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html -## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper -## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more -## https://github.com/AMDESE/AMDSEV -## https://en.wikichip.org/wiki/x86/sme -## https://lore.kernel.org/all/YWRgN63FOrQGO8jS@zn.tnic/ -## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84 -## https://mricher.fr/post/amd-memory-encryption/ -## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD -## https://github.com/secureblue/secureblue/pull/1631#issuecomment-3655501478 -## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393 -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_snp=1" - -## Prevent processes from writing to block devices that are mounted by filesystems. -## Enhances system stability and security by protecting against runaway privileged processes. -## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes. -## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access. -## May lead to breakages in certain limited scenarios. -## -## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e -## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/ -## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" - -## Restrict processes from modifying their own memory mappings. -## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's -## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into -## overwriting their own memory. -## -## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ -## https://lwn.net/Articles/983169/ -## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 -## https://github.com/Kicksecure/security-misc/issues/330 -## -## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace" - -## 2. Direct Memory Access: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks - -## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. -## -## KSPP=yes -## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" - -## Enable and force use of IOMMU translation to protect against some DMA attacks. -## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. -## Ensures devices will never be able to access stale data contents. -## -## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit -## https://en.wikipedia.org/wiki/DMA_attack -## https://lenovopress.lenovo.com/lp1467.pdf -## -## KSPP=yes -## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" - -## Clear the busmaster bit on all PCI bridges during the EFI hand-off. -## Terminates all existing DMA transactions prior to the kernel's IOMMU setup. -## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA. -## Assumes that the motherboard chipset and firmware are not malicious. -## May cause complete boot failure on certain hardware with incompatible firmware. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 -## https://mjg59.dreamwidth.org/54433.html -## -## KSPP=yes -## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" - -## 3. Entropy: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand - -## Do not credit the CPU seeds as an entropy sources at boot. -## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND and RDSEED have a long history of being defective. -## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. -## Note that distrusting this (relatively fast) source of entropy will increase boot time. -## -## https://en.wikipedia.org/wiki/RDRAND -## https://systemd.io/RANDOM_SEEDS/ -## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://lkml.org/lkml/2022/6/5/271 -## https://lwn.net/Articles/961121/ -## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ -## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html -## -## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_CPU=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" - -## Do not credit the bootloader seeds as an entropy source at boot. -## The RNG seed passed by the bootloader could potentially be tampered. -## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. -## Note that distrusting this (relatively fast) source of entropy will increase boot time. -## -## https://systemd.io/RANDOM_SEEDS/ -## https://github.com/NixOS/nixpkgs/pull/165355 -## https://lkml.org/lkml/2022/6/5/271 -## -## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" - -## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM as another source. -## Note that entropy extracted this way is not cryptographically secure and so is not credited. -## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## This will increase boot time due to interrupting the boot process. -## Requires the linux-hardened kernel patch. -## -## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened -## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 -## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" - -## 4. Networking -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters - -## Disable the entire IPv6 stack functionality. -## Removes attack surface associated with the IPv6 module. -## -## https://www.kernel.org/doc/html/latest/networking/ipv6.html -## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 -## -## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" diff --git a/etc/default/grub.d/40_remount_secure.cfg#security-misc-shared b/etc/default/grub.d/40_remount_secure.cfg#security-misc-shared deleted file mode 100644 index c3cc30a..0000000 --- a/etc/default/grub.d/40_remount_secure.cfg#security-misc-shared +++ /dev/null @@ -1,31 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Remount Secure provides enhanced security via mount options: -## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure - -## Option A (No Security): -## Disable Remount Secure. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" - -## Option B (Low Security): -## Re-mount with nodev and nosuid only. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" - -## Option C (Medium Security): -## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" - -## Option D (Highest Security): -## Re-mount with nodev, nosuid, and noexec for all mount points including /home. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg#security-misc-shared b/etc/default/grub.d/40_signed_modules.cfg#security-misc-shared deleted file mode 100644 index 36af7f3..0000000 --- a/etc/default/grub.d/40_signed_modules.cfg#security-misc-shared +++ /dev/null @@ -1,37 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Require every kernel module to be signed before being loaded. -## Any module that is unsigned or signed with an invalid key cannot be loaded. -## This prevents all out-of-tree kernel modules unless signed. -## This makes it harder to load a malicious module. -## -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 -## https://github.com/dell/dkms/issues/359 -## -## KSPP=yes -## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. -## -## Not enabled by default yet due to several issues. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" - -## Enable kernel lockdown to enforce security boundary between user and kernel space. -## Confidentiality mode enforces module signature verification. -## -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 -## -## KSPP=yes -## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. -## -## Not enabled by default yet due to several issues. -## -#if dpkg --compare-versions "${kver}" ge "5.4"; then -# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -#fi diff --git a/etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared b/etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared deleted file mode 100644 index 7221ac0..0000000 --- a/etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared +++ /dev/null @@ -1,35 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Some default configuration files automatically include the "quiet" parameter. -## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. -## str_replace is provided by package helper-scripts. -## -## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 -## -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" - -## Prevent sensitive kernel information leaks in the console during boot. -## Must be used in combination with the kernel.printk sysctl. -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## https://wiki.archlinux.org/title/silent_boot -## -## For easier debugging, these are not applied to the recovery boot option. -## Switch the pair of commands to universally apply parameters to all boot options. -## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" - -## For Increased Log Verbosity: -## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, installing the debug-misc package will undo these settings. diff --git a/etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared b/etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared deleted file mode 100644 index 5da19e7..0000000 --- a/etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared +++ /dev/null @@ -1,24 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Disable access to the GRUB single-user (recovery) mode menu entries. -## -## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 -## -GRUB_DISABLE_RECOVERY="true" - -## Disable access to Dracut's recovery console. -## Prevents the emergency shell from starting automatically during boot failures. -## -## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/ -## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell -## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 -## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" diff --git a/etc/dkms/framework.conf.security-misc b/etc/dkms/framework.conf.security-misc new file mode 100644 index 0000000..f9a643d --- /dev/null +++ b/etc/dkms/framework.conf.security-misc @@ -0,0 +1,64 @@ +## This configuration file modifies the behavior of +## DKMS (Dynamic Kernel Module Support) and is sourced +## in by DKMS every time it is run. + +## Source Tree Location (default: /usr/src) +# source_tree="/usr/src" + +## DKMS Tree Location (default: /var/lib/dkms) +# dkms_tree="/var/lib/dkms" + +## Install Tree Location (default: /lib/modules) +# install_tree="/lib/modules" + +## tmp Location (default: /tmp) +# tmp_location="/tmp" + +## verbosity setting (verbose will be active if you set it to a non-null value) +# verbose="" + +## symlink kernel modules (will be active if you set it to a non-null value) +## This creates symlinks from the install_tree into the dkms_tree instead of +## copying the modules. This preserves some space on the costs of being less +## safe. +# symlink_modules="" + +## Automatic installation and upgrade for all installed kernels (if set to a +## non-null value) +# autoinstall_all_kernels="" + +## Script to sign modules during build, script is called with kernel version +## and module name +# sign_tool="/etc/dkms/sign_helper.sh" + +### BEGIN modifications by package security-misc ### + +## original: +## https://github.com/dell/dkms/blob/master/dkms_framework.conf + +## DKMS feature request: +## add /etc/dkms/framework.conf.d configuration file drop-in folder +## https://github.com/dell/dkms/issues/116 + +## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing +## of virtual machines. +## +## This does not necessarily belong into security-misc, however likely +## security-misc will need to modify /etc/dkms/framework.conf in the future to +## enable kernel module signing. See below. +## +## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 +ENOUGH_RAM="1950" +total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" +if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then + true "INFO: Enough RAM available. Not lowering compilation cores." +else + true "INFO: Not enough RAM available. Lowering compilation cores to 1." + parallel_jobs=1 +fi + +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 +## https://github.com/dell/dkms/blob/master/sign_helper.sh +#sign_tool="/etc/dkms/sign_helper.sh" + +### END modifications by package security-misc ### diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf new file mode 100644 index 0000000..189751c --- /dev/null +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -0,0 +1,4 @@ +reproducible=yes + +## Debugging. +show_modules=yes diff --git a/etc/dracut.conf.d/30-security-misc.conf#security-misc-shared b/etc/dracut.conf.d/30-security-misc.conf#security-misc-shared deleted file mode 100644 index 5b3c7b5..0000000 --- a/etc/dracut.conf.d/30-security-misc.conf#security-misc-shared +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -reproducible=yes - -## Debugging. -#show_modules=yes diff --git a/etc/gitconfig#security-misc-shared b/etc/gitconfig#security-misc-shared deleted file mode 100644 index 8ce67b4..0000000 --- a/etc/gitconfig#security-misc-shared +++ /dev/null @@ -1,38 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Lines starting with a hash symbol ('#') are comments. -## https://github.com/Kicksecure/security-misc/issues/225 - -[core] -## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm - symlinks = false - -## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 -[transfer] - fsckobjects = true -[fetch] - fsckobjects = true -[receive] - fsckobjects = true - -## Generally a good idea but too intrusive to enable by default. -## Listed here as suggestions what users should put into their ~/.gitconfig -## file. - -## Not enabled by default because it requires essential knowledge about OpenPG -## and an already existing local signing key. Otherwise would prevent all new -## commits. -#[commit] -# gpgsign = true - -## Not enabled by default because it would break the 'git merge' command for -## unsigned commits and require the '--no-verify-signature' command line -## option. -#[merge] -# verifySignatures = true - -## Not enabled by default because it would break for users who are not having -## an account at the git server and having added a SSH public key. -#[url "ssh://git@github.com/"] -# insteadOf = https://github.com/ diff --git a/etc/hide-hardware-info.d/30_default.conf#security-misc-shared b/etc/hide-hardware-info.d/30_default.conf similarity index 54% rename from etc/hide-hardware-info.d/30_default.conf#security-misc-shared rename to etc/hide-hardware-info.d/30_default.conf index d1bc221..cb2de9b 100644 --- a/etc/hide-hardware-info.d/30_default.conf#security-misc-shared +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. @@ -7,9 +7,6 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 -## Disable /sys hardening. -#sysfs=0 - ## Disable selinux mode. -## https://www.kicksecure.com/wiki/Security-misc#selinux +## https://www.whonix.org/wiki/Security-misc#selinux #selinux=0 diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs new file mode 100755 index 0000000..944618a --- /dev/null +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -0,0 +1,21 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +copy_exec /sbin/sysctl /sbin diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs new file mode 100755 index 0000000..89e1377 --- /dev/null +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -0,0 +1,26 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +## Write to '/run/initramfs' folder. +## https://forums.whonix.org/t/kernel-hardening/7296/435 + +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log" +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log" + +grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log" + +true diff --git a/etc/kernel/postinst.d/30_remove-system-map#security-misc-shared b/etc/kernel/postinst.d/30_remove-system-map similarity index 70% rename from etc/kernel/postinst.d/30_remove-system-map#security-misc-shared rename to etc/kernel/postinst.d/30_remove-system-map index 416c808..acb9786 100755 --- a/etc/kernel/postinst.d/30_remove-system-map#security-misc-shared +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf new file mode 100644 index 0000000..ffa2b33 --- /dev/null +++ b/etc/modprobe.d/30_security-misc.conf @@ -0,0 +1,60 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://phabricator.whonix.org/T486 +options nf_conntrack nf_conntrack_helper=0 + +# Blacklists bluetooth to reduce attack surface. +# Bluetooth also has a history of security vulnerabilities: +# +# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +install bluetooth /bin/false +install btusb /bin/false + +# Blacklist thunderbolt and firewire to prevent some DMA attacks. +install firewire-core /bin/false +install thunderbolt /bin/false + +# Blacklist CPU MSRs as they can be abused to write to +# arbitrary memory. +install msr /bin/false + +# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# +# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. +# +# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. +# +# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. +# +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false +install can /bin/false +install atm /bin/false + +# Disable uncommon filesystems to reduce attack surface +install cramfs /bin/false +install udf /bin/false + +## Blacklists the vivid kernel module as it's only required for +## testing and has been the cause of multiple vulnerabilities. +## +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +install vivid /bin/false diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared deleted file mode 100644 index f3bd87b..0000000 --- a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared +++ /dev/null @@ -1,59 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## See the following links for a community discussion and overview regarding the selections. -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules - -## Blacklisting prevents kernel modules from automatically starting. -## Disabling prohibits kernel modules from starting. - -## CD-ROM/DVD: -## Blacklist CD-ROM and DVD modules. -## Not disabled by default due to potential future ISO plans. -## Can uncomment the bottom pair to disable both modules. -## -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -## -blacklist cdrom -blacklist sr_mod -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc - -## Miscellaneous: - -## GrapheneOS: -## Partial selection of their infrastructure blacklist. -## Duplicate and already disabled modules have been omitted. -## Currently snd_intel8x0 is required by some users for VirtualBox audio device ICH AC97. -## -## https://github.com/GrapheneOS/infrastructure/tree/main/etc/modprobe.d -## https://www.kicksecure.com/wiki/Dev/audio -## https://github.com/Kicksecure/security-misc/issues/271 -## -#blacklist cfg80211 -#blacklist intel_agp -#blacklist ip_tables -#blacklist mousedev -#blacklist psmouse -#blacklist snd_intel8x0 -#blacklist tls -#blacklist virtio_balloon -#blacklist virtio_console - -## Ubuntu: -## Already disabled modules have been omitted. -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -## -blacklist amd76x_edac -blacklist ath_pci -blacklist evbug -blacklist pcspkr -blacklist snd_aw2 -blacklist snd_intel8x0m -blacklist snd_pcsp -blacklist usbkbd -blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared deleted file mode 100644 index 7c51595..0000000 --- a/etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Conntrack: -## Disable Netfilter's automatic connection tracking helper assignment. -## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel. -## Disabling it reduces the kernel attack surface and improves security. -## -## https://conntrack-tools.netfilter.org/manual.html -## https://home.regit.org/netfilter-en/secure-use-of-helpers/ -## https://forums.whonix.org/t/disable-conntrack-helper/18917 -## -options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared deleted file mode 100644 index 644048c..0000000 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ /dev/null @@ -1,356 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## See the following links for a community discussion and overview regarding the selections: -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules - -## Blacklisting prevents kernel modules from automatically starting. -## Disabling prohibits kernel modules from starting. - -## This configuration file is split into 4 sections: -## 1. Hardware -## 2. File Systems -## 3. Networking -## 4. Miscellaneous - -## 1. Hardware: - -## Bluetooth: -## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. -## Replaced with a privacy and security preserving default Bluetooth configuration for better usability. -## -## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -## https://github.com/Kicksecure/security-misc/pull/145 -## -#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc -#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc -#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc -#install btbcm /usr/bin/disabled-bluetooth-by-security-misc -#install btintel /usr/bin/disabled-bluetooth-by-security-misc -#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc -#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc -#install btmtk /usr/bin/disabled-bluetooth-by-security-misc -#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc -#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc -#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc -#install btqca /usr/bin/disabled-bluetooth-by-security-misc -#install btrsi /usr/bin/disabled-bluetooth-by-security-misc -#install btrtl /usr/bin/disabled-bluetooth-by-security-misc -#install btsdio /usr/bin/disabled-bluetooth-by-security-misc -#install btusb /usr/bin/disabled-bluetooth-by-security-misc -#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc - -## CPU Model-Specific Registers (MSRs): -## User-level read access to MSRs can allow malicious unprivileged applications to access other trust domains. -## MSRs can also be abused to write to arbitrary memory. -## -## https://en.wikipedia.org/wiki/Model-specific_register -## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/running-average-power-limit-energy-reporting.html -## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install intel_rapl_msr /usr/bin/disabled-cpumsr-by-security-misc -#install isst_if_mbox_msr /usr/bin/disabled-cpumsr-by-security-misc -#install msr /usr/bin/disabled-cpumsr-by-security-misc - -## FireWire (IEEE 1394): -## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. -## -## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues -## -install dv1394 /usr/bin/disabled-firewire-by-security-misc -install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc -install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc -install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install raw1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install video1394 /usr/bin/disabled-firewire-by-security-misc - -## Global Positioning Systems (GPS): -## Disable GPS-related modules like GNSS (Global Navigation Satellite System). -## -install garmin_gps /usr/bin/disabled-gps-by-security-misc -install gnss /usr/bin/disabled-gps-by-security-misc -install gnss-mtk /usr/bin/disabled-gps-by-security-misc -install gnss-serial /usr/bin/disabled-gps-by-security-misc -install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-ubx /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc - -## Intel Management Engine (ME): -## Partially disable the Intel ME interface with the OS. -## ME functionality has increasingly become intertwined with basic Intel system operation. -## Disabling it may lead to breakages in various components without clear debugging/error messages. -## It may affect firmware updates, security, power management, display, and DRM. -## -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities -## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages -## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 -## https://github.com/Kicksecure/security-misc/issues/239 -## -#install mei /usr/bin/disabled-intelme-by-security-misc -#install mei-gsc /usr/bin/disabled-intelme-by-security-misc -#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -#install mei-me /usr/bin/disabled-intelme-by-security-misc -#install mei_phy /usr/bin/disabled-intelme-by-security-misc -#install mei_pxp /usr/bin/disabled-intelme-by-security-misc -#install mei-txe /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -#install mei_wdt /usr/bin/disabled-intelme-by-security-misc -#install microread_mei /usr/bin/disabled-intelme-by-security-misc - -## Intel Platform Monitoring Technology (PMT) Telemetry: -## Disable certain functionalities of the Intel PMT components. -## -## https://www.intel.com/content/www/us/en/content-details/710389/intel-platform-monitoring-technology-intel-pmt-technical-specification.html -## https://github.com/intel/Intel-PMT -## -install pmt_class /usr/bin/disabled-intelpmt-by-security-misc -install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc -install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc - -## Thunderbolt: -## Disable Thunderbolt modules to prevent certain DMA attacks. -## -## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -## -install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc - -## 2. File Systems: - -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. -## -## https://docs.kernel.org/filesystems/index.html -## https://github.com/secureblue/secureblue/tree/live/files/system/usr/lib/modprobe.d -## -install adfs /usr/bin/disabled-filesys-by-security-misc -install affs /usr/bin/disabled-filesys-by-security-misc -install afs /usr/bin/disabled-filesys-by-security-misc -install befs /usr/bin/disabled-filesys-by-security-misc -install ceph /usr/bin/disabled-filesys-by-security-misc -install coda /usr/bin/disabled-filesys-by-security-misc -install cramfs /usr/bin/disabled-filesys-by-security-misc -install ecryptfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install jfs /usr/bin/disabled-filesys-by-security-misc -install kafs /usr/bin/disabled-filesys-by-security-misc -install minix /usr/bin/disabled-filesys-by-security-misc -install nilfs2 /usr/bin/disabled-filesys-by-security-misc -install ocfs2 /usr/bin/disabled-filesys-by-security-misc -install orangefs /usr/bin/disabled-filesys-by-security-misc -install reiserfs /usr/bin/disabled-filesys-by-security-misc -install romfs /usr/bin/disabled-filesys-by-security-misc -install sysv /usr/bin/disabled-filesys-by-security-misc -install ubifs /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc -install ufs /usr/bin/disabled-filesys-by-security-misc -install zonefs /usr/bin/disabled-filesys-by-security-misc - -## Network File Systems: -## Disable uncommon network file systems to reduce attack surface. -## Currently 9p is required for KVM shared folders in Whonix. -## -## https://www.whonix.org/wiki/KVM#Shared_Folder -## -#install 9p /usr/bin/disabled-netfilesys-by-security-misc -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc - -## Network File System - Common Internet File System (CIFS): -## -install cifs /usr/bin/disabled-netfilesys-by-security-misc -install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc -install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc - -## Network File System - Network File System (NFS): -## -install nfs /usr/bin/disabled-netfilesys-by-security-misc -install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc -install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc -install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc -install nfsd /usr/bin/disabled-netfilesys-by-security-misc -install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc - -## 2. Networking: - -## Network Protocols: -## Disable rare and unneeded network protocols that are a common source of unknown vulnerabilities. -## Previously had blacklisted eepro100 and eth1394. -## -## https://tails.boum.org/blueprint/blacklist_modules/ -## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco -## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 -## -install af_802154 /usr/bin/disabled-network-by-security-misc -install appletalk /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install dccp /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc -install eepro100 /usr/bin/disabled-network-by-security-misc -install eth1394 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc - -## Network Protocol - Asynchronous Transfer Mode (ATM): -## -install atm /usr/bin/disabled-network-by-security-misc -install ueagle-atm /usr/bin/disabled-network-by-security-misc -install usbatm /usr/bin/disabled-network-by-security-misc -install xusbatm /usr/bin/disabled-network-by-security-misc - -## Network Protocol - Controller Area Network (CAN): -## -install c_can /usr/bin/disabled-network-by-security-misc -install c_can_pci /usr/bin/disabled-network-by-security-misc -install c_can_platform /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc -install can-bcm /usr/bin/disabled-network-by-security-misc -install can-dev /usr/bin/disabled-network-by-security-misc -install can-gw /usr/bin/disabled-network-by-security-misc -install can-isotp /usr/bin/disabled-network-by-security-misc -install can-raw /usr/bin/disabled-network-by-security-misc -install can-j1939 /usr/bin/disabled-network-by-security-misc -install can327 /usr/bin/disabled-network-by-security-misc -install ifi_canfd /usr/bin/disabled-network-by-security-misc -install janz-ican3 /usr/bin/disabled-network-by-security-misc -install m_can /usr/bin/disabled-network-by-security-misc -install m_can_pci /usr/bin/disabled-network-by-security-misc -install m_can_platform /usr/bin/disabled-network-by-security-misc -install phy-can-transceiver /usr/bin/disabled-network-by-security-misc -install slcan /usr/bin/disabled-network-by-security-misc -install ucan /usr/bin/disabled-network-by-security-misc -install vxcan /usr/bin/disabled-network-by-security-misc -install vcan /usr/bin/disabled-network-by-security-misc - -## Network Protocol - Transparent Inter Process Communication (TIPC): -## -install tipc /usr/bin/disabled-network-by-security-misc -install tipc_diag /usr/bin/disabled-network-by-security-misc - -## Network Protocol - Reliable Datagram Sockets (RDS): -## -install rds /usr/bin/disabled-network-by-security-misc -install rds_rdma /usr/bin/disabled-network-by-security-misc -install rds_tcp /usr/bin/disabled-network-by-security-misc - -## Network Protocol - Stream Control Transmission Protocol (SCTP): -## -install sctp /usr/bin/disabled-network-by-security-misc -install sctp_diag /usr/bin/disabled-network-by-security-misc - -## 4. Miscellaneous: - -## Amateur Radios: -## -install hamradio /usr/bin/disabled-miscellaneous-by-security-misc - -## Floppy Disks: -## -install floppy /usr/bin/disabled-miscellaneous-by-security-misc - -## Framebuffer (fbdev): -## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. -## These were all previously blacklisted. -## -## https://docs.kernel.org/fb/index.html -## https://en.wikipedia.org/wiki/Linux_framebuffer -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -install aty128fb /usr/bin/disabled-framebuffer-by-security-misc -install atyfb /usr/bin/disabled-framebuffer-by-security-misc -install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc -install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc -install cyblafb /usr/bin/disabled-framebuffer-by-security-misc -install gx1fb /usr/bin/disabled-framebuffer-by-security-misc -install hgafb /usr/bin/disabled-framebuffer-by-security-misc -install i810fb /usr/bin/disabled-framebuffer-by-security-misc -install intelfb /usr/bin/disabled-framebuffer-by-security-misc -install kyrofb /usr/bin/disabled-framebuffer-by-security-misc -install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc -install neofb /usr/bin/disabled-framebuffer-by-security-misc -install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc -install pm2fb /usr/bin/disabled-framebuffer-by-security-misc -install radeonfb /usr/bin/disabled-framebuffer-by-security-misc -install rivafb /usr/bin/disabled-framebuffer-by-security-misc -install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc -install savagefb /usr/bin/disabled-framebuffer-by-security-misc -install sisfb /usr/bin/disabled-framebuffer-by-security-misc -install sstfb /usr/bin/disabled-framebuffer-by-security-misc -install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc -install tridentfb /usr/bin/disabled-framebuffer-by-security-misc -install vesafb /usr/bin/disabled-framebuffer-by-security-misc -install vfb /usr/bin/disabled-framebuffer-by-security-misc -install viafb /usr/bin/disabled-framebuffer-by-security-misc -install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc -install udlfb /usr/bin/disabled-framebuffer-by-security-misc - -## Joysticks: -## -## https://docs.kernel.org/input/joydev/joystick.html -## -install joydev /usr/bin/disabled-miscellaneous-by-security-misc - -## Replaced Modules: -## These legacy drivers have all been entirely replaced and superseded by newer drivers. -## Many of these were previously blacklisted. -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## -install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc -install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc -install brcm80211 /usr/bin/disabled-miscellaneous-by-security-misc -install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc -install prism54 /usr/bin/disabled-miscellaneous-by-security-misc - -## RNDIS: -## Disable as believed to have unfixable buffer overflow issues impossible to make secure. -## Used by some network devices common with Android USB tethering. -## -## https://en.wikipedia.org/wiki/RNDIS -## https://lkml.org/lkml/2022/11/23/728 -## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/ -## -install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc -install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc - -## USB Video Device Class: -## Disable the USB-based video streaming driver for devices like some webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc - -## Vivid: -## Disable the vivid kernel module since it has been the cause of multiple vulnerabilities. -## Required only for running tests associated with the Qubes Video Companion. -## -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 -## https://github.com/Kicksecure/security-misc/issues/298 -## -#install vivid /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf new file mode 100644 index 0000000..3087ad4 --- /dev/null +++ b/etc/permission-hardening.d/25_default_sudo.conf @@ -0,0 +1,20 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## https://forums.whonix.org/t/restrict-root-access/7658/116 +## This restricts the file permissions of the sudo executable so that a vulnerability +## in the program will not be exploitable by any users not in the "sudo" group. sudo +## is a very complex program and is setuid so vulnerabilities in it can allow privilege +## escalation, regardless of other root access restrictions. For example, the following +## buffer overflow vulnerability could have been exploited by any user on the system: +## https://www.openwall.com/lists/oss-security/2021/01/26/3 +## With this restriction, only users explicitly permitted to use sudo by being added to +## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a +## compromised network-facing daemon (such as web servers, time synchronization daemons, +## etc.) running as its own user from exploiting sudo to escalate privileges. +#/usr/bin/sudo 4750 root sudo +#/bin/sudo 4750 root sudo diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf new file mode 100644 index 0000000..cec7ec1 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/bwrap exactwhitelist +/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardening.d/25_default_whitelist_chromium.conf new file mode 100644 index 0000000..399a005 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_chromium.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/chromium/chrome-sandbox exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardening.d/25_default_whitelist_dbus.conf new file mode 100644 index 0000000..bdb1a03 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_dbus.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/etc/permission-hardening.d/25_default_whitelist_firejail.conf new file mode 100644 index 0000000..5e6abef --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_firejail.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## There is a controversy about firejail but those who choose to install it +## should be able to use it. +## https://www.whonix.org/wiki/Dev/Firejail#Security +/usr/bin/firejail exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardening.d/25_default_whitelist_fuse.conf new file mode 100644 index 0000000..8d591cc --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_fuse.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for AppImages such as electrum Bitcoin wallet +## https://forums.whonix.org/t/disable-suid-binaries/7706/57 +/fusermount matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/etc/permission-hardening.d/25_default_whitelist_mount.conf new file mode 100644 index 0000000..8f8bc51 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_mount.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +## Protect from 'chmod -x' (and SUID removal). +## SUID will be removed below in separate step. +/bin/mount exactwhitelist +/usr/bin/mount exactwhitelist + +## Remove SUID from 'mount' but keep executable. +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +/bin/mount 745 root root +/usr/bin/mount 745 root root diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardening.d/25_default_whitelist_policykit.conf new file mode 100644 index 0000000..be606a5 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_policykit.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/pkexec exactwhitelist +/bin/pkexec exactwhitelist +/usr/bin/pkexec.security-misc-orig exactwhitelist +/bin/pkexec.security-misc-orig exactwhitelist + +## TODO: research +## match both: +#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist +#/lib/policykit-1/polkit-agent-helper-1 +polkit-agent-helper-1 matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardening.d/25_default_whitelist_qubes.conf new file mode 100644 index 0000000..1a934b0 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_qubes.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +## match both: +#/usr/lib/qubes/qfile-unpacker whitelist +#/lib/qubes/qfile-unpacker +/qubes/qfile-unpacker matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardening.d/25_default_whitelist_selinux.conf new file mode 100644 index 0000000..076b996 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_selinux.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardening.d/25_default_whitelist_spice.conf new file mode 100644 index 0000000..aa261f9 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_spice.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardening.d/25_default_whitelist_sudo.conf new file mode 100644 index 0000000..1b8b69a --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_sudo.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/sudo exactwhitelist +/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf new file mode 100644 index 0000000..0f78927 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +/usr/lib/virtualbox/ matchwhitelist diff --git a/usr/lib/permission-hardener.d/30_default.conf#security-misc-shared b/etc/permission-hardening.d/30_default.conf similarity index 64% rename from usr/lib/permission-hardener.d/30_default.conf#security-misc-shared rename to etc/permission-hardening.d/30_default.conf index 6e5f940..a46abcc 100644 --- a/usr/lib/permission-hardener.d/30_default.conf#security-misc-shared +++ b/etc/permission-hardening.d/30_default.conf @@ -1,17 +1,18 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. ## ## Syntax: ## [filename] [mode] [owner] [group] [capability] -## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid] ## +## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" +## argument. + ## TODO: white spaces inside file name untested and probably will not work. ###################################################################### @@ -21,9 +22,13 @@ #whitelists_disable_all=true ###################################################################### -# SUID disables below (or in lexically higher) files: disablewhitelist +# SUID disablewhitelist ###################################################################### +## disablewhitelist disables below (or in lexically higher) files +## exactwhitelist and matchwhitelist. Add these here (discouraged) or better +## in file "/etc/permission-hardening.d/20_user.conf". + ## For example, if you are not using SELinux the following might make sense to ## enable. TODO: research #/utempter/utempter disablewhitelist @@ -32,83 +37,82 @@ #/fusermount disablewhitelist ###################################################################### -# SUID whitelist matches full path: exactwhitelist +# SUID exact match whitelist ###################################################################### ## In case you need to use 'su'. See also: -## https://www.kicksecure.com/wiki/root#su +## https://www.whonix.org/wiki/root#su +#/bin/su exactwhitelist #/usr/bin/su exactwhitelist +###################################################################### +# SUID exact match whitelist +###################################################################### + ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ -## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 +## http://forums.whonix.org/t/permission-hardening/8655/25 #/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### -# SUID whitelist matches in any section of the path: matchwhitelist +# SUID regex match whitelist ###################################################################### -## Examples below are already configured: -#ssh-agent matchwhitelist -#/usr/lib/openssh matchwhitelist +###################################################################### +# SUID regex match whitelist +###################################################################### ###################################################################### # Permission Hardening ###################################################################### /home/ 0755 root root +/home/user/ 0700 user user /root/ 0700 root root /boot/ 0700 root root -/etc/permission-hardener.d 0600 root root -/usr/local/etc/permission-hardener.d 0600 root root -/usr/lib/modules/ 0700 root root -/usr/src 0700 root root -/etc/cups/cupsd.conf 0400 root root -/etc/syslog.conf 0600 root root -/etc/ssh/sshd_config 0600 root root -/etc/crontab 0600 root root -/etc/cron.d 0700 root root -/etc/cron.daily 0700 root root -/etc/sudoers.d 0700 root root -/etc/cron.hourly 0700 root root -/etc/cron.weekly 0700 root root -/etc/cron.monthly 0700 root root -/etc/group 0644 root root -/etc/group- 0644 root root -/etc/hosts.allow 0644 root root -/etc/hosts.deny 0644 root root -/etc/issue 0644 root root -/etc/issue.net 0644 root root -/etc/motd 0644 root root -/etc/passwd 0644 root root -/etc/passwd- 0644 root root +/etc/permission-hardening.d 0600 root root +/usr/local/etc/permission-hardening.d 0600 root root +/lib/modules/ 0700 root root ###################################################################### -# SUID/SGID Removal: nosuid +# SUID/SGID Removal ###################################################################### -## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" -## argument. -## ## Remove all SUID/SGID binaries/libraries. -/opt/ nosuid -/usr/bin/ nosuid -/usr/lib32/ nosuid -/usr/lib64/ nosuid -/usr/lib/ nosuid +/bin/ nosuid /usr/local/bin/ nosuid -/usr/local/lib32/ nosuid -/usr/local/lib64/ nosuid -/usr/local/lib/ nosuid -/usr/local/opt/ nosuid -/usr/local/sbin/ nosuid + +/usr/bin/ nosuid /usr/local/usr/bin/ nosuid -/usr/local/usr/lib32/ nosuid -/usr/local/usr/lib64/ nosuid -/usr/local/usr/lib/ nosuid -/usr/local/usr/sbin/ nosuid + +/sbin/ nosuid +/usr/local/sbin/ nosuid + /usr/sbin/ nosuid +/usr/local/usr/sbin/ nosuid + +/lib/ nosuid +/usr/local/lib/ nosuid + +/lib32/ nosuid +/usr/local/lib32/ nosuid + +/lib64/ nosuid +/usr/local/lib64/ nosuid + +/usr/lib/ nosuid +/usr/local/usr/lib/ nosuid + +/usr/lib32/ nosuid +/usr/local/usr/lib32/ nosuid + +/usr/lib64/ nosuid +/usr/local/usr/lib64/ nosuid + +## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 +/opt/ nosuid +/usr/local/opt/ nosuid ###################################################################### # Capability Removal @@ -117,7 +121,7 @@ ## Ping doesn't work with Tor anyway so its capabilities are removed to ## reduce attack surface. ## anon-apps-config does this. -#/usr/bin/ping 0744 root root none +#/bin/ping 0744 root root none ## TODO: research #/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none diff --git a/etc/profile.d/30_security-misc.sh#security-misc-shared b/etc/profile.d/30_security-misc.sh#security-misc-shared deleted file mode 100755 index 39ee52b..0000000 --- a/etc/profile.d/30_security-misc.sh#security-misc-shared +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS="/etc:/etc/xdg:/usr/share" -fi -if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then - export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS" -fi diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc new file mode 100644 index 0000000..ca0d81b --- /dev/null +++ b/etc/securetty.security-misc @@ -0,0 +1,2 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). diff --git a/etc/securetty.security-misc#security-misc-shared b/etc/securetty.security-misc#security-misc-shared deleted file mode 100644 index c98d20d..0000000 --- a/etc/securetty.security-misc#security-misc-shared +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -# /etc/securetty: list of terminals on which root is allowed to login. -# See securetty(5) and login(1). diff --git a/etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared b/etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared deleted file mode 100644 index e8b4b48..0000000 --- a/etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared +++ /dev/null @@ -1,34 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/security-misc/emerg-shutdown/50_user.conf" or -## "/usr/local/etc/security-misc/emerg-shutdown/50_user.conf" -## for your custom configuration, which will override the defaults found here. -## When Kicksecure is updated, this file may be overwritten. - -## Set the key combo for forcing immediate shutdown. See the "Keys and -## buttons" section of "/usr/include/linux/input-event-codes.h" for possibly -## supported values. Not all keys are supported. -## -## All specified keys must be depressed at the same time to trigger a -## shutdown. Use a comma (",") to separate keys. If you want to alias certain -## keys to each other from emerg-shutdown's standpoint, use a pipe -## character("|"). -## -## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is -## pressed, allowing the use of either the left or right Ctrl and Alt keys. -EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_END" - -## Set the maximum number of seconds shutdown can take. If shutdown gets stuck -## for longer than this, the system will forcibly power down. -## -## NOTE: This requires ensure-shutdown.service and -## ensure-shutdown-trigger.service to be enabled, which is not done by -## default. Enabling ensure-shutdown.service will cause shutdown to always -## take at least as long as systemd's DefaultTimeoutStopSec (which by default -## is 90 seconds). If you are going to enable ensure-shutdown.service, it is -## highly recommended to set DefaultTimeoutStopSec to a much smaller value, -## such as 5 seconds. The maximum shutdown time set here should be at least 10 -## seconds *longer* than DefaultTimeoutStopSec, to give normal shutdown a -## chance to actually succeed before forcibly shutting down the system. -ENSURE_SHUTDOWN_TIMEOUT=30 diff --git a/etc/security/access-security-misc.conf#security-misc-shared b/etc/security/access-security-misc.conf similarity index 88% rename from etc/security/access-security-misc.conf#security-misc-shared rename to etc/security/access-security-misc.conf index d34325e..6b409a5 100644 --- a/etc/security/access-security-misc.conf#security-misc-shared +++ b/etc/security/access-security-misc.conf @@ -1,8 +1,8 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: -## https://www.kicksecure.com/wiki/Root#Root_Login +## https://www.whonix.org/wiki/Root#Root_Login ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 @@ -33,7 +33,7 @@ +:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Same as above also for members of group `sudo`. -## https://github.com/Kicksecure/security-misc/pull/74#issuecomment-607748407 +## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 +:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Everyone else except members of group 'console-unrestricted' diff --git a/etc/security/faillock.conf.security-misc#security-misc-shared b/etc/security/faillock.conf.security-misc similarity index 78% rename from etc/security/faillock.conf.security-misc#security-misc-shared rename to etc/security/faillock.conf.security-misc index 4b70cde..bb81754 100644 --- a/etc/security/faillock.conf.security-misc#security-misc-shared +++ b/etc/security/faillock.conf.security-misc @@ -1,12 +1,9 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - # Configuration for locking the user after multiple failed # authentication attempts. # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. -dir = /var/lib/security-misc/faillock +# dir = /var/run/faillock # # Will log the user name into the system log if the user is not found. # Enabled if option is present. @@ -38,19 +35,14 @@ deny = 50 # authentication failures must happen for the user account # lock out is n seconds. # The default is 900 (15 minutes). -# security-misc note: the interval should be set to infinity if possible, -# however pam_faillock arbitrarily limits this variable to a maximum of 604800 -# seconds (7 days). See -# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 -# for details. Therefore we set this to the maximum allowable value of 7 days. -fail_interval = 604800 +# fail_interval = 900 # # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). -unlock_time = never +# unlock_time = 600 # # Root account can become locked as well as regular accounts. # Enabled if option is present. diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf new file mode 100644 index 0000000..c3f5bbf --- /dev/null +++ b/etc/security/limits.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disable coredumps. +* hard core 0 diff --git a/etc/security/limits.d/30_security-misc.conf#security-misc-shared b/etc/security/limits.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index 632b873..0000000 --- a/etc/security/limits.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Disable core dumps. -## `-` in the second field sets both hard and soft limits at the same time. -## See `man 5 limits.conf`. -* - core 0 diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml similarity index 90% rename from etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared rename to etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index dd94349..391680d 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/skel/.gnupg/gpg.conf#security-misc-shared b/etc/skel/.gnupg/gpg.conf similarity index 98% rename from etc/skel/.gnupg/gpg.conf#security-misc-shared rename to etc/skel/.gnupg/gpg.conf index f0ed5a4..f8004fe 100644 --- a/etc/skel/.gnupg/gpg.conf#security-misc-shared +++ b/etc/skel/.gnupg/gpg.conf @@ -282,13 +282,13 @@ display-charset utf-8 ################################################################## ################################################################## -## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html +## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed -## END Some suggestions from Debian https://keyring.debian.org/creating-key.html +## END Some suggestions from Debian http://keyring.debian.org/creating-key.html ################################################################## ################################################################## diff --git a/etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared b/etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index b582dd1..0000000 --- a/etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,22 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Don't edit this file, to overwrite any options, edit a file with a higher -## number that is read later by SSH, such as -## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not -## need to be system-wide, you may also consider placing overrides in -## ~/.ssh/config. - -## See also: -## https://www.kicksecure.com/wiki/SSH#Client_Configuration_File - -Host * - VisualHostKey yes - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr - MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com - KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org - ## To force the use of quantum-resistant key exchange algorithms, override - ## the above with - # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 - HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 - PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 diff --git a/etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared b/etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index 45496fd..0000000 --- a/etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,78 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Don't edit this file, to overwrite any options, edit a file with a higher -## number that is read later by SSHD, such as -## '/etc/ssh/sshd_config.d/50_user.conf'. - -## See also: -## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File - -## Number of allowed login attempts per connection. -MaxAuthTries 3 - -## Require strong ciphers and algorithms. -HostKey /etc/ssh/ssh_host_ed25519_key -HostKeyAlgorithms ssh-ed25519 -PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com -MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org -## To force the use of quantum-resistant key exchange algorithms, override the -## above with -# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 - -## Override with 'no' to fully deny root login, or leave this as -## 'prohibit-password' for denying root password login but still allowing -## other authentication methods such as public key. -PermitRootLogin prohibit-password - -## Public key authentication is transparent, non-interactive and more secure. -PasswordAuthentication no - -## Change to 'yes' to enable challenge-response passwords (beware issues with -## some PAM modules and threads) -KbdInteractiveAuthentication no - -## PAM can be used for account and session processing when using -## ChallengeResponseAuthentication or PasswordAuthentication. -## -## Depending on your PAM configuration, PAM authentication via -## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin -## without-password". -## -## If you want PAM account and session checks to run without PAM -## authentication, then enable this but set PasswordAuthentication and -## ChallengeResponseAuthentication to 'no'. -## -## The default upstream is 'no', Debian sets this to 'yes'. If using a locked -## account, read: -## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table -## We set it to 'yes' to work with libpam-tmpdir. -## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir -## Also folders such as '/run/user/1000' will exist thanks to PAM. -## The absence of that folder can lead to issues (such as with msgcollector). -UsePAM yes - -## Block dangerous forwarding. -AllowAgentForwarding no -AllowTcpForwarding no -X11Forwarding no - -## Hide unnecessary login banners. -PrintMotd no -#Banner /etc/issue.net -#Hiding Debian version from SSH banner (obscurity) -DebianBanner no - -## Some options are dangerous but may be required in certain circumstances. As -## an example, if forwarding is required, selectively allow it with a 'Match' -## block. Consider a new separate user named 'tunnel' which wants to forward -## its local port to be available on the server on port 443. Note that a -## tunnel user doesn't even require a TTY nor a shell, so don't forget to -## change the 'tunnel' shell to something that prevents login such as -## '/usr/sbin/nologin'. -#Match User tunnel -# AllowTcpForwarding yes -# PermitListen localhost:443 -# PermitTTY no diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc new file mode 100644 index 0000000..d0d1d35 --- /dev/null +++ b/etc/sudoers.d/pkexec-security-misc @@ -0,0 +1,11 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## REVIEW: is it ok that users can find out the PATH setting of root? +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path + +## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be +## set. Would otherwise error out with the following error message: +## "This program must only be run through pkexec" +## REVIEW: Can bad things be done by spoofing PKEXEC_UID? +#Defaults:ALL env_keep += "PKEXEC_UID" diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc new file mode 100644 index 0000000..1e4e16b --- /dev/null +++ b/etc/sudoers.d/security-misc @@ -0,0 +1,5 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops diff --git a/etc/sudoers.d/security-misc#security-misc-shared b/etc/sudoers.d/security-misc#security-misc-shared deleted file mode 100644 index 1fa2146..0000000 --- a/etc/sudoers.d/security-misc#security-misc-shared +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Neither of these are needed. -#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops - -## Use a more open umask when executing commands with sudo -## Can be overridden on a per-user basis using .[z]profile if desirable -## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening -Defaults umask_override -Defaults umask=0022 diff --git a/etc/sudoers.d/security-misc-desktop#security-misc-desktop b/etc/sudoers.d/security-misc-desktop#security-misc-desktop deleted file mode 100644 index cab7ca7..0000000 --- a/etc/sudoers.d/security-misc-desktop#security-misc-desktop +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Don't attempt to determine the local machine's FQDN via DNS. This can leak -## the machine's hostname in cleartext to the configured DNS server. -Defaults !fqdn diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc new file mode 100644 index 0000000..909a30a --- /dev/null +++ b/etc/sudoers.d/xfce-security-misc @@ -0,0 +1,19 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 +## /usr/share/polkit-1/actions/org.xfce.power.policy + +## Feel free to out comment this if you are not using xfce4-power-manager or XFCE. + +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] + +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] + +## XXX: Should we allow this? +#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend +#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf new file mode 100644 index 0000000..6ee134a --- /dev/null +++ b/etc/sysctl.d/30_security-misc.conf @@ -0,0 +1,160 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +## security-misc also disables coredumps in other ways. +kernel.core_pattern=|/bin/false + +## Restricts the kernel log to root only. +kernel.dmesg_restrict=1 + +## Don't allow writes to files that we don't own +## in world writable sticky directories, unless +## they are owned by the owner of the directory. +fs.protected_fifos=2 +fs.protected_regular=2 + +## Only allow symlinks to be followed when outside of +## a world-writable sticky directory, or when the owner +## of the symlink and follower match, or when the directory +## owner matches the symlink's owner. +## +## Prevent hardlinks from being created by users that do not +## have read/write access to the source file. +## +## These prevent many TOCTOU races. +fs.protected_symlinks=1 +fs.protected_hardlinks=1 + +## Hardens the BPF JIT compiler and restricts it to root. +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + +## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## +## kexec_load_disabled: +## +## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. + +## Disables kexec which can be used to replace the running kernel. +kernel.kexec_load_disabled=1 + +## Hides kernel addresses in various files in /proc. +## Kernel addresses can be very useful in certain exploits. +## +## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +kernel.kptr_restrict=2 + +## Improves ASLR effectiveness for mmap. +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + +## Restricts the use of ptrace to root. This might break some programs running under WINE. +## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## +## sudo apt-get install libcap2-bin +## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader +kernel.yama.ptrace_scope=2 + +## Prevent setuid processes from creating coredumps. +fs.suid_dumpable=0 + + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## TCP/IP stack hardening + +## Protects against time-wait assassination. +## It drops RST packets for sockets in the time-wait state. +net.ipv4.tcp_rfc1337=1 + +## Disables ICMP redirect acceptance. +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Disables ICMP redirect sending. +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Ignores ICMP requests. +net.ipv4.icmp_echo_ignore_all=1 + +## Enables TCP syncookies. +net.ipv4.tcp_syncookies=1 + +## Disable source routing. +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 + +## Enable reverse path filtering to prevent IP spoofing and +## mitigate vulnerabilities such as CVE-2019-14899. +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 + +#### meta end + + +## Disables SACK as it is commonly exploited and likely not needed. +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 +#net.ipv4.tcp_fack=0 + + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## disable IPv4 TCP Timestamps + +net.ipv4.tcp_timestamps=0 + +#### meta end + + +## Only allow the SysRq key to be used for shutdowns and the +## Secure Attention Key (SAK). +## +## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ +kernel.sysrq=132 + +## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent +## unprivileged attackers from loading vulnerable line disciplines +## with the TIOCSETD ioctl which has been used in exploits before +## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## +## https://lkml.org/lkml/2019/4/15/890 +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to root as it can make heap sprays +## easier. +## +## https://duasynt.com/blog/linux-kernel-heap-spray +vm.unprivileged_userfaultfd=0 + +## Let the kernel only swap if it is absolutely necessary. +## Better not be set to zero: +## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html +## - https://en.wikipedia.org/wiki/Swappiness +vm.swappiness=1 + +## Disallow kernel profiling by users without CAP_SYS_ADMIN +## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.perf_event_paranoid=3 + +# Do not accept router advertisments +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 + diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf new file mode 100644 index 0000000..9a34d9a --- /dev/null +++ b/etc/sysctl.d/30_silent-kernel-printk.conf @@ -0,0 +1,6 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 +kernel.printk = 3 3 3 3 diff --git a/etc/systemd/system/rescue.service.d/override.conf#security-misc-shared b/etc/systemd/system/emergency.service.d/override.conf similarity index 61% rename from etc/systemd/system/rescue.service.d/override.conf#security-misc-shared rename to etc/systemd/system/emergency.service.d/override.conf index 42fefd4..b24186a 100644 --- a/etc/systemd/system/rescue.service.d/override.conf#security-misc-shared +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,6 +1,3 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/systemd/system/emergency.service.d/override.conf#security-misc-shared b/etc/systemd/system/rescue.service.d/override.conf similarity index 61% rename from etc/systemd/system/emergency.service.d/override.conf#security-misc-shared rename to etc/systemd/system/rescue.service.d/override.conf index 42fefd4..b24186a 100644 --- a/etc/systemd/system/emergency.service.d/override.conf#security-misc-shared +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,6 +1,3 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js new file mode 100644 index 0000000..06276f6 --- /dev/null +++ b/etc/thunderbird/pref/40_security-mic.js @@ -0,0 +1,11 @@ +//#### Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +//#### See the file COPYING for copying conditions. + +//#### meta start +//#### project Whonix and Kicksecure +//#### category security and apps +//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +//#### meta end + +// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +pref("network.IDN_show_punycode", true); diff --git a/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared b/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared deleted file mode 100644 index 1d7596d..0000000 --- a/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared +++ /dev/null @@ -1 +0,0 @@ -Devices=listen,list,modify diff --git a/etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared b/etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared deleted file mode 100644 index 1d7596d..0000000 --- a/etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared +++ /dev/null @@ -1 +0,0 @@ -Devices=listen,list,modify diff --git a/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared b/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index 7315d9d..0000000 --- a/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,76 +0,0 @@ -## We allow devices that were plugged in before the daemon starts. Everything -## is blocked as the default. Following rules apply on top of this. - -## First match wins. Therefore, reject rules should be on the top. -## Quote: -## https://usbguard.github.io/documentation/rule-language -## > the daemon scans the existing rules sequentially - -## Explicitly reject any interface that is not documented and/or defined by -## USB.org. -## Note: Most probably superfluous. -reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* } - -## Explicitly reject any device with a mouse/keyboard interface in -## combination with some other interface. -## Mice and keyboards should likely never have non-HID interfaces provided -## alongside them. -reject with-interface all-of { 03:*:* 00:*:* } -reject with-interface all-of { 03:*:* 01:*:* } -reject with-interface all-of { 03:*:* 02:*:* } -reject with-interface all-of { 03:*:* 05:*:* } -reject with-interface all-of { 03:*:* 06:*:* } -reject with-interface all-of { 03:*:* 07:*:* } -reject with-interface all-of { 03:*:* 08:*:* } -reject with-interface all-of { 03:*:* 09:*:* } -reject with-interface all-of { 03:*:* 0a:*:* } -reject with-interface all-of { 03:*:* 0b:*:* } -reject with-interface all-of { 03:*:* 0d:*:* } -reject with-interface all-of { 03:*:* 0e:*:* } -reject with-interface all-of { 03:*:* 0f:*:* } -reject with-interface all-of { 03:*:* 10:*:* } -reject with-interface all-of { 03:*:* 11:*:* } -reject with-interface all-of { 03:*:* 12:*:* } -reject with-interface all-of { 03:*:* 13:*:* } -reject with-interface all-of { 03:*:* 14:*:* } -reject with-interface all-of { 03:*:* 3c:*:* } -reject with-interface all-of { 03:*:* dc:*:* } -reject with-interface all-of { 03:*:* e0:*:* } -reject with-interface all-of { 03:*:* ef:*:* } -reject with-interface all-of { 03:*:* fe:*:* } -reject with-interface all-of { 03:*:* ff:*:* } - -## Explicitly reject any device with an RNDIS interface. RNDIS is believed to -## have protocol-level buffer overflow vulnerabilities that cannot be fixed. -reject with-interface one-of { ef:04:* } - -## Allow all mouses and keyboards, in a sense, so the user can conveniently -## change them without restrating the daemon. - -## Allow only one keyboard to be connected -allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 }) -## Allow only one mouse to be connected -allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 }) -## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID -## devices that do not support a "boot interface". **These are blocked -## entirely.** It is very likely that this will cause issues with some mice -## and keyboards. Also note, all HID devices other than mice and keyboards -## will be blocked, **including touchscreens.** - -## Allow USB audio devices. The intended functionality of these devices is -## unlikely to be usable in a malicious capacity without having already -## compromised the machine. -allow with-interface equals { 01:*:* } - -## Allow USB video devices (i.e. webcams). Also tricky to use in a malicious -## manner without having already compromised the machine. -allow with-interface equals { 0e:*:* } - -## Allow USB mass storage, if and only if the USB device only has the mass -## storage interface and nothing extra. -## Suspicious interface combinations with mass storage are blocked. -allow with-interface equals { 08:*:* } - -## Allow USB hubs, these are likely safe and are required for Qubes OS USB -## passthrough to work. -allow with-interface equals { 09:*:* } diff --git a/etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared b/etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared deleted file mode 100644 index f2c1406..0000000 --- a/etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared +++ /dev/null @@ -1,218 +0,0 @@ -# -# Rule set file path. -# -# The USBGuard daemon will use this file to load the policy -# rule set from it and to write new rules received via the -# IPC interface. -# -# RuleFile=/path/to/rules.conf -# -RuleFile=/etc/usbguard/rules.conf - -# -# Rule set folder path. -# -# The USBGuard daemon will use this folder to load the policy -# rule set from it and to write new rules received via the -# IPC interface. Usually, we set the option to -# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to -# behave like any other standard Linux daemon therefore it -# loads rule files in alphanumeric order. File names inside -# RuleFolder directory should start with a two-digit number -# prefix indicating the position, in which the rules are -# scanned by the daemon. -# -# RuleFolder=/path/to/rulesfolder/ -# -RuleFolder=/etc/usbguard/rules.d/ - - - -# -# Implicit policy target. -# -# How to treat devices that don't match any rule in the -# policy. One of: -# -# * allow - authorize the device -# * block - block the device -# * reject - remove the device -# -ImplicitPolicyTarget=block - -# -# Present device policy. -# -# How to treat devices that are already connected when the -# daemon starts. One of: -# -# * allow - authorize every present device -# * block - deauthorize every present device -# * reject - remove every present device -# * keep - just sync the internal state and leave it -# * apply-policy - evaluate the ruleset for every present -# device -# -# Overridden by Kicksecure to allow all devices that are connected at startup. -# -PresentDevicePolicy=allow - -# -# Present controller policy. -# -# How to treat USB controllers that are already connected -# when the daemon starts. One of: -# -# * allow - authorize every present device -# * block - deauthorize every present device -# * reject - remove every present device -# * keep - just sync the internal state and leave it -# * apply-policy - evaluate the ruleset for every present -# device -# -PresentControllerPolicy=keep - -# -# Inserted device policy. -# -# How to treat USB devices that are already connected -# *after* the daemon starts. One of: -# -# * block - deauthorize every present device -# * reject - remove every present device -# * apply-policy - evaluate the ruleset for every present -# device -# -InsertedDevicePolicy=apply-policy - -# -# Control which devices are authorized by default. -# -# The USBGuard daemon modifies some the default authorization state attributes -# of controller devices. This setting, enables you to define what value the -# default authorization is set to. -# -# * keep - do not change the authorization state -# * none - every new device starts out deauthorized -# * all - every new device starts out authorized -# * internal - internal devices start out authorized, external devices start -# out deauthorized (this requires the ACPI tables to properly -# label internal devices, and kernel support) -# -AuthorizedDefault=none - -# -# Restore controller device state. -# -# The USBGuard daemon modifies some attributes of controller -# devices like the default authorization state of new child device -# instances. Using this setting, you can control whether the -# daemon will try to restore the attribute values to the state -# before modification on shutdown. -# -# SECURITY CONSIDERATIONS: If set to true, the USB authorization -# policy could be bypassed by performing some sort of attack on the -# daemon (via a local exploit or via a USB device) to make it shutdown -# and restore to the operating-system default state (known to be permissive). -# -RestoreControllerDeviceState=false - -# -# Device manager backend -# -# Which device manager backend implementation to use. One of: -# -# * uevent - Netlink based implementation which uses sysfs to scan for present -# devices and an uevent netlink socket for receiving USB device -# related events. -# * umockdev - umockdev based device manager capable of simulating devices based -# on umockdev-record files. Useful for testing. -# -DeviceManagerBackend=uevent - -#!!! WARNING: It's good practice to set at least one of the !!! -#!!! two options below. If none of them are set, !!! -#!!! the daemon will accept IPC connections from !!! -#!!! anyone, thus allowing anyone to modify the !!! -#!!! rule set and (de)authorize USB devices. !!! - -# -# Users allowed to use the IPC interface. -# -# A space delimited list of usernames that the daemon will -# accept IPC connections from. -# -# IPCAllowedUsers=username1 username2 ... -# -IPCAllowedUsers=root - -# -# Groups allowed to use the IPC interface. -# -# A space delimited list of groupnames that the daemon will -# accept IPC connections from. -# -# IPCAllowedGroups=groupname1 groupname2 ... -# -IPCAllowedGroups=root plugdev - -# -# IPC access control definition files path. -# -# The files at this location will be interpreted by the USBGuard -# daemon as access control definition files for the IPC interface. -# The (base)name of a file should be in the form: -# -# [user][:] -# -# where user is either username or UID and group is either groupname or GID. -# IPC access control files should contain lines in the form: -# -#
=[privilege1][,privilege2] ... -# -# This way each file defines who is able to connect to the IPC -# bus and what privileges he has. Note that the IPC access control -# files need to have file permissions set to 0600. -# -IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ - -# -# Generate device specific rules including the "via-port" -# attribute. -# -# This option modifies the behavior of the allowDevice -# action. When instructed to generate a permanent rule, -# the action can generate a port specific rule. Because -# some systems have unstable port numbering, the generated -# rule might not match the device after rebooting the system. -# -# If set to false, the generated rule will still contain -# the "parent-hash" attribute which also defines an association -# to the parent device. See usbguard-rules.conf(5) for more -# details. -# -DeviceRulesWithPort=false - -# -# USBGuard Audit events log backend -# -# One of: -# -# * FileAudit - Log audit events into a file specified by -# AuditFilePath setting (see below) -# * LinuxAudit - Log audit events using the Linux Audit -# subsystem (using audit_log_user_message) -# -AuditBackend=FileAudit - -# -# USBGuard audit events log file path. -# -AuditFilePath=/var/log/usbguard/usbguard-audit.log - -# -# Hides personally identifiable information such as device serial numbers and -# hashes of descriptors (which include the serial number) from audit entries. -# -HidePII=false - diff --git a/lib/systemd/coredump.conf.d/30_security-misc.conf b/lib/systemd/coredump.conf.d/30_security-misc.conf new file mode 100644 index 0000000..519f838 --- /dev/null +++ b/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset new file mode 100644 index 0000000..2d83b83 --- /dev/null +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -0,0 +1,14 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 +disable hide-hardware-info.service + +## Disable for now until development finished / tested. +disable permission-hardening.service + +## Disable for now until development finished / tested. +disable remount-secure.service + +## Disable due to pkexec issues. +disable proc-hidepid.service diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf#security-misc-shared b/lib/systemd/system/haveged.service.d/30_security-misc.conf similarity index 69% rename from usr/lib/systemd/system/haveged.service.d/30_security-misc.conf#security-misc-shared rename to lib/systemd/system/haveged.service.d/30_security-misc.conf index 2981464..7193a02 100644 --- a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf#security-misc-shared +++ b/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Service] diff --git a/usr/lib/systemd/system/hide-hardware-info.service#security-misc-shared b/lib/systemd/system/hide-hardware-info.service similarity index 72% rename from usr/lib/systemd/system/hide-hardware-info.service#security-misc-shared rename to lib/systemd/system/hide-hardware-info.service index 659c3f5..edc0dc1 100644 --- a/usr/lib/systemd/system/hide-hardware-info.service#security-misc-shared +++ b/lib/systemd/system/hide-hardware-info.service @@ -1,10 +1,9 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] Description=Hide hardware information to unprivileged users -Documentation=https://github.com/Kicksecure/security-misc - +Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service new file mode 100644 index 0000000..bbe7eca --- /dev/null +++ b/lib/systemd/system/permission-hardening.service @@ -0,0 +1,20 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=SUID, SGID, Capability and File Permission Hardening +Documentation=https://github.com/Whonix/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/permission-hardening +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/proc-hidepid.service#security-misc-shared b/lib/systemd/system/proc-hidepid.service similarity index 55% rename from usr/lib/systemd/system/proc-hidepid.service#security-misc-shared rename to lib/systemd/system/proc-hidepid.service index d7ea4d9..3952c86 100644 --- a/usr/lib/systemd/system/proc-hidepid.service#security-misc-shared +++ b/lib/systemd/system/proc-hidepid.service @@ -1,10 +1,9 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] Description=Mounts /proc with hidepid=2 -Documentation=https://github.com/Kicksecure/security-misc - +Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target @@ -12,7 +11,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=proc /proc +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service new file mode 100644 index 0000000..518c5ef --- /dev/null +++ b/lib/systemd/system/remount-secure.service @@ -0,0 +1,22 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) +Documentation=https://github.com/Whonix/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +After=qubes-sysinit.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/remount-secure +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/remove-system-map.service#security-misc-shared b/lib/systemd/system/remove-system-map.service similarity index 70% rename from usr/lib/systemd/system/remove-system-map.service#security-misc-shared rename to lib/systemd/system/remove-system-map.service index 1e36d61..a0285b4 100644 --- a/usr/lib/systemd/system/remove-system-map.service#security-misc-shared +++ b/lib/systemd/system/remove-system-map.service @@ -1,10 +1,9 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] Description=Removes the System.map files -Documentation=https://github.com/Kicksecure/security-misc - +Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/user@.service.d/sysfs.conf b/lib/systemd/system/user@.service.d/sysfs.conf new file mode 100644 index 0000000..e0cf3a7 --- /dev/null +++ b/lib/systemd/system/user@.service.d/sysfs.conf @@ -0,0 +1,2 @@ +[Service] +SupplementaryGroups=sysfs diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index b42625e..bdc4e61 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -3,8 +3,8 @@ Version: @VERSION@ Release: 1%{?dist} Summary: enhances misc security settings -License: AGPL-3+ -URL: https://github.com/Kicksecure/security-misc +License: GPL-3+-with-additional-terms-1 +URL: https://github.com/Whonix/security-misc Source0: %{name}-%{version}.tar.xz BuildRequires: dpkg-dev @@ -13,7 +13,50 @@ Requires: make BuildArch: noarch %description -See README. +The following settings are changed: + +deactivates previews in Dolphin; +deactivates previews in Nautilus; +deactivates thumbnails in Thunar; +deactivates TCP timestamps; +deactivates Netfilter's connection tracking helper; + +TCP time stamps (RFC 1323) allow for tracking clock +information with millisecond resolution. This may or may not allow an +attacker to learn information about the system clock at such +a resolution, depending on various issues such as network lag. +This information is available to anyone who monitors the network +somewhere between the attacked system and the destination server. +It may allow an attacker to find out how long a given +system has been running, and to distinguish several +systems running behind NAT and using the same IP address. It might +also allow one to look for clocks that match an expected value to find the +public IP used by a user. + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/tcp_timestamps.conf configuration file. + +Note that TCP time stamps normally have some usefulness. They are +needed for: + +* the TCP protection against wrapped sequence numbers; however, to + trigger a wrap, one needs to send roughly 2^32 packets in one + minute: as said in RFC 1700, "The current recommended default + time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". + So, this probably won't be a practical problem in the context + of Anonymity Distributions. + +* "Round-Trip Time Measurement", which is only useful when the user + manages to saturate their connection. When using Anonymity Distributions, + probably the limiting factor for transmission speed is rarely the capacity + of the user connection. + +Netfilter's connection tracking helper module increases kernel attack +surface by enabling superfluous functionality such as IRC parsing in +the kernel. (!) + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/nf_conntrack_helper.conf configuration file. %prep %setup -q @@ -29,9 +72,47 @@ make %{?_smp_mflags} %files %license debian/copyright -/etc/* -/lib/* -/usr/* +/etc/X11/Xsession.d/50panic_on_oops +/etc/X11/Xsession.d/50security-misc +/etc/apparmor.d/tunables/home.d/security-misc +/etc/apt/apt.conf.d/40sandbox +/etc/default/grub.d/40_enable_iommu.cfg +/etc/default/grub.d/40_kernel_hardening.cfg +/etc/login.defs.security-misc +/etc/modprobe.d/30_nf_conntrack_helper_disable.conf +/etc/modprobe.d/blacklist-dma.conf +/etc/modprobe.d/uncommon-network-protocols.conf +/etc/securetty.security-misc +/etc/security/limits.d/disable-coredumps.conf +/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +/etc/sudoers.d/security-misc +/etc/sysctl.d/coredumps.conf +/etc/sysctl.d/dmesg_restrict.conf +/etc/sysctl.d/fs_protected.conf +/etc/sysctl.d/harden_bpf.conf +/etc/sysctl.d/kexec.conf +/etc/sysctl.d/kptr_restrict.conf +/etc/sysctl.d/mmap_aslr.conf +/etc/sysctl.d/ptrace_scope.conf +/etc/sysctl.d/suid_dumpable.conf +/etc/sysctl.d/sysrq.conf +/etc/sysctl.d/tcp_hardening.conf +/etc/sysctl.d/tcp_sack.conf +/etc/sysctl.d/tcp_timestamps.conf +/etc/systemd/system/emergency.service.d/override.conf +/etc/systemd/system/rescue.service.d/override.conf +/lib/systemd/coredump.conf.d/disable-coredumps.conf +/lib/systemd/system/proc-hidepid.service +/lib/systemd/system/remove-system-map.service +/usr/libexec/security-misc/apt-get-update +/usr/libexec/security-misc/apt-get-update-sanity-test +/usr/libexec/security-misc/panic-on-oops +/usr/libexec/security-misc/remove-system.map +/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +/usr/share/lintian/overrides/security-misc +/usr/share/pam-configs/usergroups +/usr/share/pam-configs/wheel +/usr/share/security-misc/dolphinrc %changelog @CHANGELOG@ diff --git a/usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared b/usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared deleted file mode 100755 index d4ae866..0000000 --- a/usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc#security-misc-shared b/usr/bin/disabled-cdrom-by-security-misc#security-misc-shared deleted file mode 100755 index 7749d06..0000000 --- a/usr/bin/disabled-cdrom-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared deleted file mode 100755 index a6b0223..0000000 --- a/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This CPU MSR kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc#security-misc-shared b/usr/bin/disabled-filesys-by-security-misc#security-misc-shared deleted file mode 100755 index d37c52e..0000000 --- a/usr/bin/disabled-filesys-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This file system kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc#security-misc-shared b/usr/bin/disabled-firewire-by-security-misc#security-misc-shared deleted file mode 100755 index 4511d90..0000000 --- a/usr/bin/disabled-firewire-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared b/usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared deleted file mode 100755 index 0f6879c..0000000 --- a/usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc#security-misc-shared b/usr/bin/disabled-gps-by-security-misc#security-misc-shared deleted file mode 100755 index 14131ad..0000000 --- a/usr/bin/disabled-gps-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc#security-misc-shared b/usr/bin/disabled-intelme-by-security-misc#security-misc-shared deleted file mode 100755 index 787e6a2..0000000 --- a/usr/bin/disabled-intelme-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared b/usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared deleted file mode 100755 index 6005482..0000000 --- a/usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared b/usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared deleted file mode 100755 index f5ddcb5..0000000 --- a/usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared b/usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared deleted file mode 100755 index 9b00de5..0000000 --- a/usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This network file system kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-network-by-security-misc#security-misc-shared b/usr/bin/disabled-network-by-security-misc#security-misc-shared deleted file mode 100755 index 02bdb6c..0000000 --- a/usr/bin/disabled-network-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared b/usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared deleted file mode 100755 index 0939dc7..0000000 --- a/usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/permission-hardener#security-misc-shared b/usr/bin/permission-hardener#security-misc-shared deleted file mode 100755 index fe318b0..0000000 --- a/usr/bin/permission-hardener#security-misc-shared +++ /dev/null @@ -1,1026 +0,0 @@ -#!/bin/bash -# shellcheck disable=SC2076 - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/disable-suid-binaries/7706 -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -## dpkg-statoverride does not support end-of-options ("--"). - -## SC2076 is disabled because ShellCheck seems to think that any use of -## [[ ... =~ ... ]] is supposed to be a regex match. But [[ '...' =~ '...' ]] -## works very well for literal matching, and it is used that way extensively -## throughout this script. - -set -o errexit -o nounset -o pipefail - -## Constants -# shellcheck disable=SC2034 -log_level=notice -store_dir="/var/lib/permission-hardener-v2" -state_file="${store_dir}/existing_mode/statoverride" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - -## Library imports -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/safe_echo.sh -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/log_run_die.sh - -## Functions -echo_wrapper_ignore() { - if [ "${1}" = 'verbose' ]; then - shift - log notice "Executing: $*" - elif [ "${1}" = 'silent' ]; then - shift - else - log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 - return - fi - "$@" 2>/dev/null || true -} - -echo_wrapper_audit() { - local return_code - if [ "${1}" = 'verbose' ]; then - shift - log notice "Executing: $*" - elif [ "${1}" = 'silent' ]; then - shift - else - log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 - return - fi - return_code=0 - "$@" || - { - return_code="$?" - exit_code=203 - log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 - } -} - -## Some tools may fail on newlines and even variable assignment to array may -## fail if a variable that will be assigned to an array element contains -## characters that are used as delimiters. -block_newlines() { - local newline_variable newline_value - newline_variable="${1:-}" - newline_value="${2:-}" - ## dpkg-statoverride: error: path may not contain newlines - if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then - log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 - return 1 - fi -} - -output_stat() { - local file_name stat_output stat_output_newlined hardlink_count - declare -a arr - file_name="${1:-}" - - if [ -z "${file_name}" ]; then - log error "File name is empty. file_name: '${file_name}'" >&2 - return 1 - fi - - if ! block_newlines file "${file_name}"; then - existing_mode='' - existing_owner='' - existing_group='' - file_name_from_stat='' - return 0 - fi - - if [ ! -e "${file_name}" ]; then - log info "File does not exist. file_name: '${file_name}'" >&2 - existing_mode='' - existing_owner='' - existing_group='' - file_name_from_stat='' - return 0 - fi - - if ! stat_output="$(stat -L \ - --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}%h${delimiter}" \ - -- "${file_name}")"; then - log error "Failed to run 'stat' on file: '${file_name}'!" >&2 - return 1 - fi - - if [ -z "$stat_output" ]; then - log error "stat_output is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - - if [ -z "${stat_output_newlined}" ]; then - log error "stat_output_newlined is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - readarray -t arr <<< "${stat_output_newlined}" - - if [ "${#arr[@]}" = '0' ]; then - log error "Array length is 0. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" - file_name_from_stat="${arr[3]}" - hardlink_count="${arr[4]}" - - if [ "$file_name" != "$file_name_from_stat" ]; then - log error "\ -File name is different from file name received from stat: -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - ## We can't handle files with hardlinks because figuring out all of the files - ## in a "hardlink pool" requires scanning the whole filesystem, which would - ## result in an unacceptable performance hit for this script. We don't check - ## directory hardlinks since directories can't have traditional hardlinks. - if [ ! -d "${file_name_from_stat}" ]; then - if (( hardlink_count > 1 )); then - log error "\ -File has unexpected hardlinks, cannot handle. -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - fi - - if [ -z "${existing_mode}" ]; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - if [ -z "${existing_owner}" ]; then - log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - if [ -z "${existing_group}" ]; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - - ## If a symlink was passed as input, return the original file's path rather - ## than the symlink to avoid problems stemming from using the wrong path - if [ -h "${file_name_from_stat}" ]; then - file_name_from_stat="$(realpath "${file_name_from_stat}")" - fi -} - -print_usage(){ - safe_echo "Usage: ${0##*/} enable - ${0##*/} disable [FILE|all] - ${0##*/} print-policy - ${0##*/} print-state - ${0##*/} print-policy-applied-state - ${0##*/} print-diagnostics - -Examples: - ${0##*/} enable - ${0##*/} disable all - ${0##*/} disable /usr/bin/newgrp" >&2 -} - -add_to_policy() { - local file_name file_mode file_owner file_group updated_entry policy_idx \ - file_capabilities - file_name="${1:-}" - file_mode="${2:-}" - file_owner="${3:-}" - file_group="${4:-}" - file_capabilities="${5:-}" - updated_entry=false - - if [ -z "${file_name}" ]; then - exit_code=207 - log error "Attempted to add a policy entry with an empty filename! file_mode='${file_mode}' file_onwer='${file_owner}' file_group='${file_group}' file_capabilities='${file_capabilities}'" >&2 - exit "${exit_code}" - fi - - if [ -h "${file_name}" ]; then - file_name="$(realpath "${file_name}")" || return 1 - fi - - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then - policy_mode_list[policy_idx]="${file_mode}" - policy_user_owner_list[policy_idx]="${file_owner}" - policy_group_owner_list[policy_idx]="${file_group}" - policy_capability_list[policy_idx]="${file_capabilities}" - updated_entry=true - break - fi - done - - if [ "${updated_entry}" != 'true' ]; then - policy_file_list+=( "${file_name}" ) - policy_mode_list+=( "${file_mode}" ) - policy_user_owner_list+=( "${file_owner}" ) - policy_group_owner_list+=( "${file_group}" ) - policy_capability_list+=( "${file_capabilities}" ) - fi -} - -check_nosuid_whitelist() { - local target_file match_white_list_entry - - target_file="${1:-}" - - ## Handle whitelists, if we're supposed to - [ "${whitelists_disable_all}" = 'true' ] && return 0 - - ## literal matching is intentional here - [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 - - ## literal matching is intentional here too - [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 - - for match_white_list_entry in "${policy_match_white_list[@]:-}"; do - if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then - return 1 - fi - done - - return 0 -} - -load_early_nosuid_policy() { - local target_file find_list_item - - target_file="${1:-}" - - # shellcheck disable=SC2185 - while IFS="" read -r -d "" find_list_item; do - check_nosuid_whitelist "${find_list_item}" || continue - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${find_list_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - - ## -h file True if file is a symbolic link. - if [ -h "${find_list_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${find_list_item}'" - continue - fi - - if [ -d "${find_list_item}" ]; then - log info "Skip directory: '${find_list_item}'" - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' - ## fail closed rather than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to - ## manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid - ## has been removed from these? - local new_mode - new_mode='744' - - add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \ - "${existing_group}" - done < <(safe_echo_nonewline "${target_file}" \ - | find -files0-from - -perm /u=s,g=s -print0) -} - -## If the "target file" matches the start of the state file name, that's a -## likely match. This is used by load_late_nosuid_policy for detecting info -## about files that need SUID-locked that are in the state. -match_dir() { - local base_str match_str base_arr match_arr base_idx - - base_str="${1}" - match_str="${2}" - if [ -z "${base_str}" ] || [ -z "${match_str}" ]; then - exit_code=207 - log error "Empty base_str or match_str provided to match_dir! base_str: '${base_str}' match_str: '${match_str}'" >&2 - exit "${exit_code}" - fi - [[ "${base_str}" =~ '//' ]] && return 1 - [[ "${match_str}" =~ '//' ]] && return 1 - - IFS='/' read -r -a base_arr <<< "${base_str}" - IFS='/' read -r -a match_arr <<< "${match_str}" - (( ${#base_arr[@]} > ${#match_arr[@]} )) && return 1 - - for (( base_idx=0; base_idx < ${#base_arr[@]}; base_idx++ )); do - if [ "${base_arr[base_idx]}" != "${match_arr[base_idx]}" ]; then - return 1 - fi - done - - return 0 -} - -load_late_nosuid_policy() { - local target_file state_idx state_file_item state_user_owner_item \ - state_group_owner_item new_mode - - target_file="${1:-}" - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - check_nosuid_whitelist "${state_file_item}" || continue - - match_dir "${target_file}" "${state_file_item}" || continue - - if [ -h "${state_file_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${state_file_item}'" - continue - fi - - if [ -d "${state_file_item}" ]; then - log info "Skip directory: '${state_file_item}'" - continue - fi - - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - new_mode='744' - add_to_policy "${state_file_item}" "${new_mode}" \ - "${state_user_owner_item}" "${state_group_owner_item}" - done -} - -load_state_without_policy() { - local line field_list - - ## Load the state file from disk - if [ -f "${state_file}" ]; then - while read -r line; do - read -r -a field_list <<< "${line}" - if (( ${#field_list[@]} != 4 )); then - log info \ - "Invalid number of fields in state file line: '${line}'. Skipping." - continue - fi - state_user_owner_list+=( "${field_list[0]}" ) - state_group_owner_list+=( "${field_list[1]}" ) - state_mode_list+=( "${field_list[2]}" ) - state_file_list+=( "${field_list[3]}" ) - done < "${state_file}" - fi -} - -load_state() { - ## Config format: - ## path options - ## where options is one of: - ## user_owner group_owner filemode [capability-setting] - ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] - ## - ## Additionally, the special value 'whitelists_disable_all=true' is understood - ## to mean that all whitelisting should be ignored. - - local config_file line field_list policy_nosuid_file_item policy_file_item - - ## Load configuration, deferring whitelist handling until later - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - if [ ! -f "${config_file}" ]; then - continue - fi - - while read -r line; do - if [ -z "${line}" ]; then - true 'DEBUG: line is empty. Skipping.' - continue - fi - - if [[ "${line}" =~ ^\s*# ]]; then - continue - fi - - if ! [[ "${line}" =~ ^[-0-9a-zA-Z._/[:space:]]*$ ]]; then - exit_code=200 - log error "Line contains invalid characters: '${line}'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - if [ "${line}" = 'whitelists_disable_all=true' ]; then - whitelists_disable_all=true - log info "whitelists_disable_all=true" - continue - fi - - processed_config_line="${line}" - - IFS=' ' read -r -a field_list <<< "${line}" - - case "${#field_list[@]}" in - 2|4|5) true;; - *) - exit_code=200 - log error "Line contains an invalid number of fields: '${line}'" >&2 - exit "${exit_code}" - ;; - esac - - # Strip trailing slash if appropriate - field_list[0]="${field_list[0]%/}" - - case "${field_list[1]}" in - 'exactwhitelist') - [ ! -e "${field_list[0]}" ] && continue - policy_exact_white_list+=( "${field_list[0]}" ) - continue - ;; - 'matchwhitelist') - policy_match_white_list+=( "${field_list[0]}" ) - continue - ;; - 'disablewhitelist') - policy_disable_white_list+=( "${field_list[0]}" ) - continue - ;; - 'nosuid') - [ ! -e "${field_list[0]}" ] && continue - policy_nosuid_file_list+=( "${field_list[0]}" ) - ;; - *) - [ ! -e "${field_list[0]}" ] && continue - add_to_policy "${field_list[@]}" - ;; - esac - done < "${config_file}" - done - - ## We have to handle nosuid files at the end since the whitelist arrays need - ## built first. - for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do - load_early_nosuid_policy "${policy_nosuid_file_item}" - done - - load_state_without_policy - - ## Find any files in the policy that don't already have a matching file in - ## the state. Add those files to the state, and save them to the state file - ## as well. - for policy_file_item in "${policy_file_list[@]}"; do - if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then - continue - fi - output_stat "${policy_file_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - state_file_list+=( "${file_name_from_stat}" ) - state_user_owner_list+=( "${existing_owner}" ) - state_group_owner_list+=( "${existing_group}" ) - state_mode_list+=( "${existing_mode}" ) - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride \ - ${dpkg_admindir_parameter_existing_mode} \ - --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ - "${file_name_from_stat}" - done - - ## Fix up nosuid policies using state information - for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do - load_late_nosuid_policy "${policy_nosuid_file_item}" - done -} - -apply_policy() { - local policy_idx did_state_update state_idx - - ## Modify the in-memory state so that all items that the policy affects match - ## the policy. DO NOT save these changes to the state file! - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - did_state_update=false - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - if [ "${state_file_list[state_idx]}" = "${policy_file_list[policy_idx]}" ]; then - state_user_owner_list[state_idx]="${policy_user_owner_list[policy_idx]}" - state_group_owner_list[state_idx]="${policy_group_owner_list[policy_idx]}" - state_mode_list[state_idx]="${policy_mode_list[policy_idx]}" - did_state_update=true - break - fi - done - if [ "${did_state_update}" = 'false' ]; then - exit_code=206 - log error \ - "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" - exit "${exit_code}" - fi - done -} - -commit_policy() { - local policy_idx state_idx state_file_item \ - state_user_owner_item state_group_owner_item \ - state_mode_item orig_main_statoverride_db orig_new_statoverride_db \ - policy_file_item policy_capability_item - - ## Check each file on the filesystem against the state, and update it if the - ## state does not match. Also ensure the consistency of the new_mode database - ## so that people can compare the original permissions of files with the new - ## permissions. - orig_main_statoverride_db="$(dpkg-statoverride --list)" || true - # shellcheck disable=SC2086 - orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - - ## Get rid of leading zeros, stat doesn't output them due to how we use it. - ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into - ## one group, and the rest of the string into a second group. The second - ## group is the string we want. BASH_REMATCH[0] is the entire string, - ## BASH_REMATCH[1] is the first match that we want to discard, and - ## BASH_REMATCH[2] is the desired second group. - if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then - state_mode_item="${BASH_REMATCH[2]}" - else - exit_code=208 - log error "'Impossible' regex match failure in commit_policy! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2 - exit "${exit_code}" - fi - - output_stat "${state_file_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - - if [ "${existing_owner}" != "${state_user_owner_item}" ] \ - || [ "${existing_group}" != "${state_group_owner_item}" ] \ - || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then - log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 - continue - fi - - if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then - log error "Group from config does not exist: '${state_group_owner_item}'" >&2 - continue - fi - ## Remove and reapply in main list - if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then - echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${file_name_from_stat}" - fi - echo_wrapper_audit verbose dpkg-statoverride --add --update \ - "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${file_name_from_stat}" - - ## Update item in secondary list - if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --remove \ - "${file_name_from_stat}" - fi - # shellcheck disable=SC2086 - echo_wrapper_audit verbose dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --add \ - "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${file_name_from_stat}" - fi - done - - ## Apply capability hardening, dpkg-statoverride can't handle this so we have - ## to do this manually - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - policy_file_item="${policy_file_list[policy_idx]}" - policy_capability_item="${policy_capability_list[policy_idx]}" - if [ -z "${policy_capability_item}" ]; then - continue - fi - - if [ "${policy_capability_item}" = 'none' ]; then - echo_wrapper_ignore verbose setcap -r "${policy_file_item}" - if [ -n "$(getcap -- "${policy_file_item}")" ]; then - exit_code=205 - log error \ - "Removing capabilities failed. File: '${policy_file_item}'" >&2 - continue - fi - else - if ! capsh --print \ - | grep --fixed-strings -- "Bounding set" \ - | grep -- "${policy_capability_item}" >/dev/null; then - log error \ - "Capability from config does not exist: '${policy_capability_item}'" \ - >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${policy_capability_item}+ep" \ - -- "${policy_file_item}" - fi - done - - log notice "\ -To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: - sudo apt install --no-install-recommends meld - meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" -} - -undo_policy_for_file() { - local undo_file state_idx state_file_item did_undo \ - undo_all verbose orig_main_statoverride_db orig_new_statoverride_db \ - state_user_owner_item state_group_owner_item state_mode_item - - undo_file="${1}" - undo_all=false - verbose='--verbose' - if [ "${undo_file}" = 'all' ]; then - undo_all=true - verbose='' - fi - - if [ ! -f "${state_file}" ]; then - true 'DEBUG: State file does not exist, hardening was not applied before.' - return 0 - fi - - did_undo=false - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - if [ "${undo_all}" = 'true' ]; then - undo_file="${state_file_item}" - fi - - if [ "${state_file_item}" = "${undo_file}" ]; then - orig_main_statoverride_db="$(dpkg-statoverride --list)" || true - # shellcheck disable=SC2086 - orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - - if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then - echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${undo_file}" - fi - - if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --remove \ - "${undo_file}" - fi - - if [ -e "${undo_file}" ]; then - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - # shellcheck disable=SC2086 - chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ - "${undo_file}" || exit_code=202 - ## chmod needs to be run after chown since chown removes suid. - # shellcheck disable=SC2086 - chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 - else - log info "File does not exist: '${undo_file}'" - fi - did_undo=true - - if [ "${undo_all}" = 'false' ]; then - break - fi - fi - done - - if [ "${did_undo}" = 'false' ]; then - log notice "The specified file is not hardened, leaving unchanged. - - File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. - - This program expects the full path to the file. Example: - $0 disable /usr/bin/newgrp # absolute path: works - $0 disable newgrp # relative path: does not work - - To remove all: - $0 disable all - - This change might not be permanent. For full instructions, see: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - To view list of changed by SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - - For re-enabling any specific SUID binary: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - - For completely disabling SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi -} - -print_columns() { - local format_str bogus_str - format_str='' - for bogus_str in "$@"; do - format_str="${format_str}%s\t" - done - format_str="${format_str}\n" - ## Using a dynamically generated format string on purpose. - # shellcheck disable=SC2059 - printf "${format_str}" "$@" -} - -print_policy() { - local policy_idx - - print_columns 'File' 'User' 'Group' 'Mode' 'Capabilities' - - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - print_columns \ - "${policy_file_list[policy_idx]}" \ - "${policy_user_owner_list[policy_idx]}" \ - "${policy_group_owner_list[policy_idx]}" \ - "${policy_mode_list[policy_idx]}" \ - "${policy_capability_list[policy_idx]}" - done -} - -print_state() { - local state_idx - - print_columns 'File' 'User' 'Group' 'Mode' - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - print_columns \ - "${state_file_list[state_idx]}" \ - "${state_user_owner_list[state_idx]}" \ - "${state_group_owner_list[state_idx]}" \ - "${state_mode_list[state_idx]}" - done -} - -print_raw_policy_config() { - local config_file - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - if [ ! -f "${config_file}" ]; then - continue - fi - echo "*** begin ${config_file} ***" - cat "${config_file}" - echo "*** end ${config_file} ***" - done -} - -print_raw_state() { - local state_file - for state_file in "${store_dir}/existing_mode/statoverride" \ - "${store_dir}/new_mode/statoverride"; do - echo "*** begin ${state_file} ***" - if [ -f "${state_file}" ]; then - cat "${state_file}" - else - echo '(file does not exist)' - fi - echo "*** end ${state_file} ***" - done -} - -print_fs_audit() { - local state_idx state_file_item state_user_owner_item state_group_owner_item \ - state_mode_item - - echo 'Legend:' - echo '... - Warning about an unusual, but not necessarily wrong, condition' - echo '!!! - Warning about an unusual and definitely wrong condition' - echo '*** - File permission data, actual state on filesystem is consistent with policy' - echo '^^^ - File permission data, actual state on filesystem is inconsistent with policy' - echo 'vvv - File permissions specified by state, always shown after a ^^^ item' - echo - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - - ## Get rid of leading zeros, stat doesn't output them due to how we use it. - ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into - ## one group, and the rest of the string into a second group. The second - ## group is the string we want. BASH_REMATCH[0] is the entire string, - ## BASH_REMATCH[1] is the first match that we want to discard, and - ## BASH_REMATCH[2] is the desired second group. - if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then - state_mode_item="${BASH_REMATCH[2]}" - else - exit_code=208 - log error "'Impossible' regex match failure in print_fs_audit! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2 - exit "${exit_code}" - fi - - output_stat "${state_file_item}" - if [ -z "${file_name_from_stat}" ]; then - echo "... '${state_file_item}' does not exist" - continue - fi - - if [ "${existing_owner}" != "${state_user_owner_item}" ] \ - || [ "${existing_group}" != "${state_group_owner_item}" ] \ - || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then - echo "!!! Owner from config does not exist: '${state_user_owner_item}'" - continue - fi - - if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then - echo "!!! Group from config does not exist: '${state_group_owner_item}'" - continue - fi - - echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" - else - echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - fi - done -} - -reset_global_vars() { - ## Global variables - policy_file_list=() - policy_user_owner_list=() - policy_group_owner_list=() - policy_mode_list=() - policy_capability_list=() - policy_exact_white_list=() - policy_match_white_list=() - policy_disable_white_list=() - policy_nosuid_file_list=() - state_file_list=() - state_user_owner_list=() - state_group_owner_list=() - state_mode_list=() - whitelists_disable_all=false - existing_mode='' - existing_owner='' - existing_group='' - processed_config_line='' - file_name_from_stat='' - passwd_file_contents="$(getent passwd)" - group_file_contents="$(getent group)" - exit_code=0 -} - -reset_global_vars - -## Setup and sanity checking -if [ "$(id -u)" != '0' ]; then - log error "Not running as root, aborting." - exit 1 -fi - -mkdir --parents "${store_dir}/existing_mode" -mkdir --parents "${store_dir}/new_mode" - -echo_wrapper_audit silent which capsh getcap setcap stat find \ - dpkg-statoverride getent grep 1>/dev/null - -## Command parsing and execution -case "${1:-}" in - enable) - shift - load_state - apply_policy - commit_policy - ;; - disable) - shift - case "${1:-}" in - "") - print_usage - exit 1 - ;; - *) - load_state_without_policy - undo_policy_for_file "${1}" - ;; - esac - ;; - print-policy) - load_state - print_policy - ;; - print-state) - load_state - print_state - ;; - print-policy-applied-state) - load_state - apply_policy - print_state - ;; - print-diagnostics) - echo '=== BEGIN PERMISSION-HARDENER DIAGNOSTICS ===' - - echo '--- BEGIN State without policy ---' - load_state_without_policy - print_state - echo '--- END State without policy ---' - - reset_global_vars - - echo '--- BEGIN Policy without state ---' - load_state - print_policy - echo '--- END Policy without state ---' - - reset_global_vars - - echo '--- BEGIN Policy-applied-state ---' - load_state - apply_policy - print_state - echo '--- END Policy-applied state ---' - - reset_global_vars - - echo '--- BEGIN Master dpkg-statoverride database ---' - dpkg-statoverride --list - echo '--- END Master dpkg-statoverride database ---' - - echo '--- BEGIN Raw policy configuration ---' - print_raw_policy_config - echo '--- END Raw policy configuration ---' - - echo '--- BEGIN Raw state data ---' - print_raw_state - echo '--- END Raw state data ---' - - echo '--- BEGIN Filesystem state audit ---' - load_state - apply_policy - print_fs_audit - echo '--- END Filesystem state audit ---' - - echo '=== END PERMISSION-HARDENER DIAGNOSTICS ===' - ;; - -h|--help) - print_usage - exit 0 - ;; - *) - print_usage - exit 1 - ;; -esac - -## Exit -if test "${exit_code}" != "0"; then - log error "Exiting with non-zero exit code: '${exit_code}'" >&2 -fi - -exit "${exit_code}" diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc new file mode 100755 index 0000000..d483f1c --- /dev/null +++ b/usr/bin/pkexec.security-misc @@ -0,0 +1,132 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with +## hidepid. +## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 +## * https://forums.whonix.org/t/cannot-use-pkexec/8129 + +set -e + +my_real_path="$(realpath "$0")" || true +identifier="$my_real_path wrapper" +exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1 + +log_to_journal() { + echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true +} + +log_to_journal "$0 $@" +log_to_journal "DISPLAY: '$DISPLAY'" +my_pstree="$(pstree -p $$)" || true +log_to_journal "my_pstree: '$my_pstree'" + +## If hidepid is not in use, just use pkexec normally. +if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then + pkexec.security-misc-orig "$@" + exit $? +fi + +switch_user=false + +original_args="$@" + +## Thanks to: +## http://mywiki.wooledge.org/BashFAQ/035 + +while : +do + case $1 in + ## Should show 'pkexec --version' or fail? + --version) + shift + pkexec.security-misc-orig "$original_args" + exit $? + ;; + ## Should show 'pkexec --help' or fail? + --help) + shift + pkexec.security-misc-orig "$original_args" + exit $? + ;; + ## Drop --disable-internal-agent as not needed and breaking both, + ## lxqt-sudo and sudo. + --disable-internal-agent) + shift + ;; + --user) + ## lxqt-sudo does not support "--user". + ## We should not make this wrapper run something as root which + ## is supposed to run under a different user. Try using + ## "sudo -A --user user --set-home" instead. + user_pkexec_wrapper="$2" + if [ "$user_pkexec_wrapper" = "" ]; then + shift + else + shift 2 + fi + switch_user=true + maybe_switch_to_user="--user $user_pkexec_wrapper" + ;; + --) + shift + break + ;; + *) + break + ;; + esac +done + +## If there are input files (for example) that follow the options, they +## will remain in the "$@" positional parameters. + +if [ "$PKEXEC_UID" = "" ]; then + if [ ! "$user_pkexec_wrapper" = "" ]; then + PKEXEC_UID="$user_pkexec_wrapper" + elif [ ! "$SUDO_USER" = "" ]; then + PKEXEC_UID="$SUDO_USER" + else + PKEXEC_UID="$(whoami)" + fi +fi +export PKEXEC_UID + +if [[ "$@" = "" ]]; then + ## Call original pkexec in case there are no arguments. + pkexec.security-misc-orig $original_args + exit $? +fi + +exit_code=0 + +## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions. +## Therefore use 'sudo -l' to see if there is any already existing sudoers exception. +## Did not work. 'sudo -l' will always exit with exit code '0'. +# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then +# log_to_journal "sudoers exception: yes" +# sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; +# log_to_journal "sudo --user | exit_code: '$exit_code'" +# exit "$exit_code" +# fi +# +# log_to_journal "sudoers exception: no" + +if [ "$switch_user" = "true" ]; then + ## 'sudo --user user' clears environment variables such as PATH. + lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; +else + ## set PATH same as root + ## This is required for gdebi. + ## REVIEW: is it ok that users can find out the PATH setting of root? + ## lxqt-sudo does not clear environment variable PATH. + PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)" + export PATH + lxqt-sudo "$@" || { exit_code=$? ; true; }; +fi + +log_to_journal "exit_code: '$exit_code'" + +exit "$exit_code" diff --git a/usr/bin/remount-secure#security-misc-shared b/usr/bin/remount-secure#security-misc-shared deleted file mode 100755 index 957ad46..0000000 --- a/usr/bin/remount-secure#security-misc-shared +++ /dev/null @@ -1,388 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## features: -## - nodev,nosuid where appropriate -## - optional noexec for most except /home -## - optional noexec for all including /home -## - idempotent (script can be safely re-run) -## - can be run from: -## - systemd -## - dracut -## - manually from command line -## - can safely handle non-existing folders -## - error handling -## - log output: -## - shows each and every command executed -## - shows old mount options prior running remount-secure -## - shows new mount options after running remount-secure - -## noexec in /tmp and/or /home can break some malware but also legitimate -## applications. - -## https://www.kicksecure.com/wiki/Noexec -## https://www.kicksecure.com/wiki/Dev/remount-secure -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -#set -x -set -e -set -o pipefail -set -o nounset - -init() { - if test -o xtrace ; then - output_command=true - else - output_command=echo - fi - - $output_command "$0: INFO: START" - - ## dracut does not have id. Saving space in initial ramdisk. - if command -v id &>/dev/null ; then - if [ "$(id -u)" != "0" ]; then - $output_command "ERROR: must be run as root! sudo $0" - exit 1 - fi - fi - - mkdir --parents "/run/remount-secure" - exit_code=0 - - ## dracut sets NEWROOT=/sysroot - [[ -v NEWROOT ]] || NEWROOT="" - if [ "$NEWROOT" = "" ]; then - $output_command "INFO: dracut detected: no" - else - $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" - fi - - ## Debugging. - #echo "ls -la /root/" - #ls -la / || true - #echo "ls -la /sysroot/" - #ls -la /sysroot/ || true - #echo "env" - #env || true -} - -parse_options() { - ## Thanks to: - ## https://mywiki.wooledge.org/BashFAQ/035 - - while : - do - case ${1:-} in - 0) - $output_command "WARNING: Not using remount-secure." - exit 0 - shift - ;; - 1) - $output_command "INFO: level 1/3 (low)" - most_noexec_maybe="" - home_noexec_maybe="" - parsed=true - shift - ;; - 2) - $output_command "INFO: level 2/3 (medium)" - most_noexec_maybe=",noexec" - home_noexec_maybe="" - parsed=true - shift - ;; - 3) - $output_command "INFO: level 3/3 (high)" - most_noexec_maybe=",noexec" - home_noexec_maybe=",noexec" - parsed=true - shift - ;; - --force) - $output_command "INFO: --force" - option_force=true - shift - ;; - --) - shift - break - ;; - -*) - echo "ERROR: unknown option: $1" >&2 - exit 1 - ;; - *) - break - ;; - esac - done - - [[ -v option_force ]] || option_force="" - [[ -v parsed ]] || parsed=false - [[ -v home_noexec_maybe ]] || home_noexec_maybe="" - [[ -v most_noexec_maybe ]] || most_noexec_maybe="" - - $output_command "INFO: using nosuid,nodev: yes" - - if [ "$home_noexec_maybe" = "" ]; then - $output_command "INFO: using noexec for all: no" - else - $output_command "INFO: using noexec for all: yes" - return 0 - fi - - if [ "$most_noexec_maybe" = "" ]; then - $output_command "INFO: using noexec for most: no" - else - $output_command "INFO: using noexec for most (not all): yes" - return 0 - fi - - if [ "$parsed" = "true" ]; then - return 0 - fi - - $output_command "ERROR: syntax error. use either: -$0 0 -$0 1 -$0 2 -$0 3" - - exit 1 -} - -preparation() { - ## Debugging. - #$output_command "INFO: 'findmnt --list' output at the START." - #$output_command "$(findmnt --list)" - #$output_command "" - true -} - -remount_secure() { - $output_command "" - - ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function - ## which called this function. - status_file_name="${FUNCNAME[1]}" - ## example status_file_name: - ## _home - status_file_full_path="/run/remount-secure/${status_file_name}" - ## example status_file_full_path: - ## /run/remount-secure/_home - - old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - ## example old_mount_options: - ## rw,nosuid,nodev,relatime,discard - - $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" - - if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then - $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" - return 0 - fi - - ## When this package is upgraded, the systemd unit will run again. - ## If the user meanwhile manually relaxed mount options, this should not be undone. - - if [ ! "$option_force" == "true" ]; then - if [ -e "$status_file_full_path" ]; then - $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." - return 0 - fi - fi - - if ! test -d "$mount_folder" ; then - ## For example /boot/efi does not always exist on all systems. - $output_command "INFO: '$mount_folder' folder exists: no" - return 0 - fi - $output_command "INFO: '$mount_folder' folder exists: yes" - - if findmnt --noheadings "$mount_folder" >/dev/null ; then - $output_command "INFO: '$mount_folder' already mounted, therefore using remount." - $output_command INFO: Executing: mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" - mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 - else - $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." - $output_command INFO: Executing: mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" - mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 - fi - - new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" - - touch "$status_file_full_path" -} - -_boot() { - mount_folder="$NEWROOT/boot" - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_boot_efi() { - ## TODO: new, test - mount_folder="$NEWROOT/boot/efi" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_run() { - mount_folder="/run" - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_dev() { - mount_folder="/dev" - ## /dev should be nosuid,noexec as per: - ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 - intended_mount_options="nosuid,noexec" - remount_secure -} - -_dev_shm() { - mount_folder="/dev/shm" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_sys() { - ## TODO: new, test - mount_folder="/sys" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_tmp() { - mount_folder="$NEWROOT/tmp" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_var_tmp() { - mount_folder="$NEWROOT/var/tmp" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_var_log() { - mount_folder="$NEWROOT/var/log" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_var() { - mount_folder="$NEWROOT/var" - ## noexec: Not possible. Reason: - ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. - intended_mount_options="nosuid,nodev" - remount_secure -} - -_usr() { - ## TODO: new, test - mount_folder="$NEWROOT/usr" - intended_mount_options="nodev" - remount_secure -} - -_home() { - mount_folder="$NEWROOT/home" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" - remount_secure -} - -_root() { - ## TODO: new, test - mount_folder="$NEWROOT/root" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" - remount_secure -} - -_srv() { - ## TODO: new, test - mount_folder="$NEWROOT/srv" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_media() { - ## TODO: new, test - mount_folder="$NEWROOT/media" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_mnt() { - ## TODO: new, test - mount_folder="$NEWROOT/mnt" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_opt() { - ## TODO: new, test - mount_folder="$NEWROOT/opt" - ## Allow /opt exec as usually optional binaries are placed there such as Firefox - ## when manually installed from tarball. - intended_mount_options="nosuid,nodev" - remount_secure -} - -_etc() { - ## TODO: new, test - ## /etc cannot be noexec because various executables are there. To find, run: - ## sudo find /etc -executable - mount_folder="$NEWROOT/etc" - intended_mount_options="nosuid,nodev" - remount_secure -} - -end() { - ## Debugging. - #$output_command "INFO: 'findmnt --list' output at the END." - #$output_command "$(findmnt --list)" - - $output_command "" - $output_command "INFO: exit_code: $exit_code" - $output_command "$0: INFO: END" - exit $exit_code -} - -main() { - init - parse_options "$@" - preparation - - _boot - _boot_efi - _run - _dev - _dev_shm - _tmp - _var_tmp - _var_log - _var - _usr - _home - _root - _srv - _media - _mnt - _opt - _etc - - end -} - -## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service -#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc - -main "$@" diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf#security-misc-desktop b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf#security-misc-desktop deleted file mode 100644 index 5bd1873..0000000 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf#security-misc-desktop +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. - -#[connection] -#ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf#security-misc-desktop b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf#security-misc-desktop deleted file mode 100644 index c664e9b..0000000 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf#security-misc-desktop +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. - -#[device-mac-randomization] -#wifi.scan-rand-mac-address=yes - -#[connection-mac-randomization] -#ethernet.cloned-mac-address=random -#wifi.cloned-mac-address=random diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh#security-misc-shared b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh#security-misc-shared deleted file mode 100755 index 8917091..0000000 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh#security-misc-shared +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -# called by dracut -check() { - ## For debugging only. - ## Saving space in initial ramdisk. - #require_binaries id || return 1 - #require_binaries env || return 1 - - require_binaries findmnt || return 1 - require_binaries touch || return 1 - require_binaries grep || return 1 - require_binaries mount || return 1 - require_binaries remount-secure || return 1 - return 0 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - ## For debugging only. - ## Saving space in initial ramdisk. - #inst_multiple id - #inst_multiple env - - inst_multiple findmnt - inst_multiple touch - inst_multiple grep - inst_multiple mount - inst_multiple remount-secure - inst_hook cleanup 90 "$moddir/remount-secure.sh" -} - -# called by dracut -installkernel() { - return 0 -} diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh#security-misc-shared b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh#security-misc-shared deleted file mode 100755 index 0e0a0c1..0000000 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh#security-misc-shared +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This script is intended to remount specified mount points with more secure -## options based on kernel command line parameters. - -remount_hook() { - local remountsecure_action - ## getarg returns the last parameter only. - ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. - remountsecure_action=$(getarg remountsecure) - - if ! remount-secure $remountsecure_action; then - warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." - return 1 - fi - info "$0: INFO: 'remount-secure $remountsecure_action' success." - return 0 -} - -remount_hook diff --git a/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh#security-misc-shared b/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh#security-misc-shared deleted file mode 100755 index 98d6be9..0000000 --- a/usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh#security-misc-shared +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## called by dracut -check() { - require_binaries /run/emerg-shutdown || return 1 - return 255 -} - -## called by dracut -depends() { - echo 'systemd bash' - return 0 -} - -## called by dracut -install() { - local config_file - - inst systemd-notify - - inst_simple /usr/libexec/security-misc/emerg-shutdown - inst_simple /usr/share/security-misc/emerg-shutdown-initramfs.service /usr/lib/systemd/system/emerg-shutdown-initramfs.service - inst_simple /run/emerg-shutdown /emerg-shutdown - - for config_file in /etc/security-misc/emerg-shutdown/*.conf; do - if [ -f "${config_file}" ]; then - inst_multiple /etc/security-misc/emerg-shutdown/*.conf - break - fi - done - for config_file in /usr/local/etc/security-misc/emerg-shutdown/*.conf; do - if [ -f "${config_file}" ]; then - inst_multiple /usr/local/etc/security-misc/emerg-shutdown/*.conf - break - fi - done - - mkdir -p "${initdir}/usr/lib/systemd/system/initrd.target.wants" - ln -s '../emerg-shutdown-initramfs.service' "${initdir}/usr/lib/systemd/system/initrd.target.wants/emerg-shutdown-initramfs.service" -} - -## called by dracut -installkernel () { - hostonly='' instmods evdev -} diff --git a/usr/lib/issue.d/20_security-misc.issue#security-misc-shared b/usr/lib/issue.d/20_security-misc.issue#security-misc-shared deleted file mode 100644 index d03f39b..0000000 --- a/usr/lib/issue.d/20_security-misc.issue#security-misc-shared +++ /dev/null @@ -1,2 +0,0 @@ -By continuing, you acknowledge and give consent that the owner of this system has a right to keep a log of all activity. -Unauthorized access is strictly prohibited and may result in legal action. Do not proceed! diff --git a/usr/lib/modules-load.d/30_security-misc.conf#security-misc-shared b/usr/lib/modules-load.d/30_security-misc.conf similarity index 60% rename from usr/lib/modules-load.d/30_security-misc.conf#security-misc-shared rename to usr/lib/modules-load.d/30_security-misc.conf index 6ee13ca..32dfdf3 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf#security-misc-shared +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## https://www.kicksecure.com/wiki/Dev/Entropy +## https://www.whonix.org/wiki/Dev/Entropy ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 ## https://forums.whonix.org/t/jitterentropy-rngd/7204 jitterentropy_rng diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf#security-misc-shared deleted file mode 100644 index e45baa3..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf#security-misc-shared +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -/usr/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf#security-misc-shared deleted file mode 100644 index 0c00e33..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf#security-misc-shared +++ /dev/null @@ -1,18 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID -## sandbox for most use cases, and while the SUID sandbox is still technically -## supported [1], it's also virtually unused [2]. Chromium still works fine -## when it is stripped of its SUID bit and rendered no longer executable, -## and opening `chrome://sandbox` while in this state shows that sandboxing is -## still working perfectly fine. -## -## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md -## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md -#chrome-sandbox matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf#security-misc-shared deleted file mode 100644 index 8d370cd..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf#security-misc-shared +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## Needed for D-Bus system activation to work. -## https://dbus.freedesktop.org/doc/system-activation.txt -## -## May be vital for desktop features to work normally. -## -## Appears to have been designed with security in mind and can only be called -## by root or a user in the `messagebus` group (which currently has one member, -## namely user `messagebus`). -dbus-daemon-launch-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared deleted file mode 100644 index 7951791..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## There is a controversy about firejail but those who choose to install it -## should be able to use it. -## https://www.kicksecure.com/wiki/Dev/Firejail#Security -/usr/bin/firejail exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared deleted file mode 100644 index 785df83..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared +++ /dev/null @@ -1,18 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## Critical component of FUSE (Filesystem in USErspace) -## -## Used by things such as: -## - AppImages -## - such as electrum Bitcoin wallet -## - Docker -## If not SUID, unprivileged users will be unable to use FUSE any longer. -## -## https://forums.whonix.org/t/disable-suid-binaries/7706/57 -/fusermount matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf#security-misc-shared deleted file mode 100644 index 3d8eae3..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -libhardened_malloc.so matchwhitelist -libhardened_malloc-light.so matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared deleted file mode 100644 index d1955e2..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared +++ /dev/null @@ -1,18 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -## Protect from 'chmod -x' (and SUID removal). -## SUID will be removed below in separate step. -/usr/bin/mount exactwhitelist -/usr/bin/umount exactwhitelist - -## Remove SUID from 'mount' but keep executable. -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/usr/bin/mount 755 root root -/usr/bin/umount 755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared deleted file mode 100644 index ffb136e..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared +++ /dev/null @@ -1,23 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## Used by the pam_tmpdir module to create a secure temporary directory for the -## user that is logging in. -## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html -## Apparently specific to Debian, there isn't actually any Git repo with this -## code in it, it's just a "floating" package in the Debian archive. Written by -## the same person who maintains the package. Almost certainly cannot be -## disabled without causing serious problems, but may be worth auditing. -## (Worthy of note, it doesn't seem this program takes any user input, but -## relies solely on the calling user's UID and GID, though this could require -## further review.) -## -## Without this, LXQt fails to start with a dbus-launch error. -## -## TODO: audit pam-tmpdir-helper -pam-tmpdir-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared deleted file mode 100644 index 4cd8d35..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared +++ /dev/null @@ -1,16 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -# Keep the `passwd` utility executable to prevent issues with the -# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking -# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep -# the nosuid rule on /usr/bin from fighting with these rules. -# -# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd -/usr/bin/passwd exactwhitelist -/usr/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared deleted file mode 100644 index e328564..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared +++ /dev/null @@ -1,28 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## user-sysmaint-split hardens this further. -/usr/bin/pkexec exactwhitelist -/usr/bin/pkexec.security-misc-orig exactwhitelist - -## Required for PolicyKit (Polkit) to function. -## -## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# -## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 -## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93 -## -## Changing permissions here may break more than just normal privilege escalation. -## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, -## however even that might not be safe. -## -## matches both: -## - /usr/lib/policykit-1/polkit-agent-helper-1 -## - /lib/policykit-1/polkit-agent-helper-1 -## -## user-sysmaint-split hardens this further. -polkit-agent-helper-1 matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared deleted file mode 100644 index 64dd72b..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## TODO: research and document -postqueue matchwhitelist -postdrop matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared deleted file mode 100644 index 1b65dfa..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared +++ /dev/null @@ -1,25 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## TODO: research -## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c -## -## Historic Qubes upstream security issue: -## qfile-unpacker allows unprivileged users in VMs to gain root privileges -## https://github.com/QubesOS/qubes-issues/issues/8633 -## -## matches both: -## - /usr/lib/qubes/qfile-unpacker whitelist -## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. -## - Stripping SUID from this does *not* break file copying. -## - TODO: further research required on its purpose -## - /usr/bin/qfile-unpacker -## - Appears to be an integral part of file transfer between qubes, stripping -## SUID from this in an AppVM results in that AppVM being unable to receive -## files any longer. (It can still send files to other qubes though.) -qfile-unpacker matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared deleted file mode 100644 index 6f5c7f3..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## TODO: research and document -/utempter/utempter matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared deleted file mode 100644 index 6569621..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## TODO: research and document -spice-client-glib-usb-acl-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared deleted file mode 100644 index 6a987f3..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared +++ /dev/null @@ -1,22 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## Used for SSH client key management -## https://manpages.debian.org/ssh-agent -## Debian installs ssh-agent with setgid permissions (2755) and with -## _ssh as the group to help mitigate ptrace attacks that could extract -## private keys from the agent's memory. -ssh-agent matchwhitelist - -## Used only for SSH host-based authentication -## https://manpages.debian.org/ssh-keysign -## Needed to allow access to the machine's host key for use in the -## authentication process. This is a non-default method of authenticating to -## SSH, and is likely rarely used, thus this should be safe to disable. -#ssh-keysign matchwhitelist -#/usr/lib/openssh matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf#security-misc-shared deleted file mode 100644 index 84e7497..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf#security-misc-shared +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## user-sysmaint-split hardens this further. -/usr/bin/sudo exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf#security-misc-shared deleted file mode 100644 index 0733fc9..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf#security-misc-shared +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## required for performing password validation from unprivileged user -## processes such as KScreenLocker's unlock prompt -/usr/sbin/unix_chkpwd exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared deleted file mode 100644 index 725e3ad..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared +++ /dev/null @@ -1,16 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc-shared is updated, this file may be -## overwritten. - -## TODO: research -/usr/lib/virtualbox/ matchwhitelist -VirtualBoxVM matchwhitelist -VBoxSDL matchwhitelist -VBoxNetNAT matchwhitelist -VBoxNetDHCP matchwhitelist -VBoxHeadless matchwhitelist -VBoxNetAdpCtl matchwhitelist diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared deleted file mode 100644 index 0ef99da..0000000 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared +++ /dev/null @@ -1,26 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## NOTE: -## This configuration is in a dedicated file because the ram-wipe package -## requires kexec. However, ram-wipe cannot ship a config file -## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. -## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', -## it cannot be undone without a reboot. This is an upstream Linux security feature. -## Instead, ram-wipe will config-package-dev 'hide' this file. - -## Disables kexec, which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. -## -## https://en.wikipedia.org/wiki/Kexec -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_KEXEC. -## -kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared deleted file mode 100644 index 0baec08..0000000 --- a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared +++ /dev/null @@ -1,24 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Disable the usage of the ptrace() system call by all processes. -## Restrict ptrace() as it enables programs to inspect and modify other active processes. -## Prevents native code debugging which some programs use as a method to detect tampering. -## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. -## -## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope -## https://en.wikipedia.org/wiki/Ptrace -## https://grapheneos.org/features#attack-surface-reduction -## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 -## https://github.com/netblue30/firejail/issues/2860 -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.yama.ptrace_scope=3 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared b/usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared deleted file mode 100644 index d8febf9..0000000 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Prevent kernel information leaks in the console during boot. -## Must be used in conjunction with kernel boot parameters. -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## -kernel.printk=3 3 3 3 - -## For increased log verbosity: -## A) Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. Or, -## B) Alternatively, install the debug-misc package to undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared deleted file mode 100644 index 1f1ffab..0000000 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ /dev/null @@ -1,647 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## NOTE: -## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf -## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. -## https://github.com/Kicksecure/security-misc/pull/135 - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## This configuration file is divided into 5 sections: -## 1. Kernel Space -## 2. User Space -## 3. Core Dumps -## 4. Swap Space -## 5. Networking - -## For detailed explanations of most of the selected commands, refer to: -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html -## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html - -## 1. Kernel Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -## https://kspp.github.io/Recommended_Settings#sysctls -## https://wiki.archlinux.org/title/Security#Kernel_hardening - -## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. -## Kernel pointers expose specific locations in kernel memory. -## -## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.kptr_restrict=2 - -## Restrict access to the kernel log buffer to users with CAP_SYSLOG. -## Kernel logs often contain sensitive information such as kernel pointers. -## -## KSPP=yes -## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. -## -kernel.dmesg_restrict=1 - -## Prevent kernel information leaks in the console during boot. -## Must be used in conjunction with kernel boot parameters. -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -#kernel.printk=3 3 3 3 - -## Restrict eBPF access to CAP_BPF. -## Disables unprivileged calls to bpf() without recovery. -## -## https://en.wikipedia.org/wiki/EBPF#Security -## https://lwn.net/Articles/660331/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.unprivileged_bpf_disabled=1 - -## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. -## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. -## -## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html -## https://lkml.org/lkml/2019/4/15/890 -## -## KSPP=yes -## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. -## -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. -## Reduces the likelihood of use-after-free exploits from heap sprays. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 -## https://duasynt.com/blog/linux-kernel-heap-spray -## -## KSPP=yes -## KSPP sets the sysctl. -## -vm.unprivileged_userfaultfd=0 - -## Disables kexec, which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. -## -## https://en.wikipedia.org/wiki/Kexec -## -## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_KEXEC. -## -#kernel.kexec_load_disabled=1 - -## Disable the SysRq key to prevent leakage of kernel information. -## The Secure Attention Key (SAK) can no longer be utilized. -## -## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html -## https://www.kicksecure.com/wiki/SysRq -## https://github.com/xairy/unlockdown -## -## KSPP=yes -## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. -## -kernel.sysrq=0 - -## Disable user namespaces entirely. -## User namespaces aim to improve sandboxing and accessibility for unprivileged users. -## Disabling entirely will reduce compatibility with some AppArmor profiles. -## Disabling entirely is known to break the UPower systemd service. -## Not recommended due to well-known breakages across numerous software packages. -## -## https://lwn.net/Articles/673597/ -## https://madaidans-insecurities.github.io/linux.html#kernel -## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers -## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 -## https://github.com/Kicksecure/security-misc/pull/263 -## -## KSPP=no -## KSPP sets the sysctl. -## -#user.max_user_namespaces=0 - -## Restrict user namespaces to users with CAP_SYS_ADMIN. -## See the user.max_user_namespaces setting for more details. -## This is a Debian-specific kernel feature, not a Linux mainline setting. -## Unprivileged user namespaces pose substantial privilege escalation risks. -## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. -## Not recommended due to widespread breakages across many software packages. -## -## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian -## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements -## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 -## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 -## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 -## https://github.com/Kicksecure/security-misc/issues/274 -## -#kernel.unprivileged_userns_clone=0 - -## Restricts kernel profiling to users with CAP_PERFMON. -## The performance events system should not be accessible by unprivileged users. -## Other distributions such as Ubuntu and Fedora may permit further restricting. -## -## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users -## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.perf_event_paranoid=3 - -## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. -## Panics may be due to false-positives such as bad drivers. -## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. -## Oopses are serious but non-fatal errors. -## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. -## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks. -## -## https://en.wikipedia.org/wiki/Kernel_panic#Linux -## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://lwn.net/Articles/876209/ -## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 -## -## KSPP=yes -## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -#kernel.oops_limit=1 -#kernel.warn_limit=1 - -## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. -## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. -## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. -## -## KSPP=yes -## KSPP sets CONFIG_PANIC_TIMEOUT=-1. -## -kernel.panic=-1 - -## Force immediate kernel panic on OOM (out of memory) scenarios. -## Registers a kernel panic whenever the oom_killer is triggered to kill some rogue process based on their OOM score. -## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. -## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. -## This forces immediate system reboot rather than placing any reliance on the oom_killer. -## Known to cause extreme user experience problems with certain applications as the Tor Browser. -## Enabling by default requires improved upstream handling of user space OOM better accounting for desktop users. -## -## https://en.wikipedia.org/wiki/Out_of_memory -## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 -## https://github.com/KSPP/kspp.github.io/issues/9 -## https://github.com/Kicksecure/security-misc/issues/324 -## -## Note that this must be used with kernel.panic=-1 for it to function as intended. -## -#vm.panic_on_oom=2 - -## Force immediate kernel panic on certain NMIs (Non-Maskable Interrupts). -## NMIs are hardware interrupts that cannot be ignored by standard interrupt-masking techniques. -## NMIs are reserved for critical events that require immediate attention. -## Panic upon a NMI indicating a serious hardware-level I/O issue to prevent data corruption. -## Panic upon a NMI indicating uncorrectable memory and hardware errors to prevent data corruption. -## Panic upon receiving an undefined or unknown NMI. -## All three must first be tested to ensure there are no pre-existing issues on user hardware. -## After confirming stability of each they can then be used to prevent data corruption from hardware sources. -## These are valuable for high-reliability systems where data integrity is critical. -## -## https://en.wikipedia.org/wiki/Non-maskable_interrupt -## https://www.kernel.org/doc/html/latest/trace/events-nmi.html -## https://0xax.gitbook.io/linux-insides/summary/interrupts/linux-interrupts-6 -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts -## -## Note that these must be used with kernel.panic=-1 for them to function as intended. -## -#kernel.panic_on_io_nmi=1 -#kernel.panic_on_unrecovered_nmi=1 -#kernel.unknown_nmi_panic=1 - -## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -## Can lead to privilege escalation by pushing characters into a controlling TTY. -## Will break out-dated screen readers that continue to rely on this legacy functionality. -## Note this was already disabled by default as of Linux kernel 6.2. -## -## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. -## -dev.tty.legacy_tiocsti=0 - -## Disable asynchronous I/O for all processes. -## Use of io_uring has been the leading cause of numerous kernel exploits. -## Disabling will reduce the read/write performance of storage devices. -## -## https://en.wikipedia.org/wiki/Io_uring#Security -## https://lwn.net/Articles/902466/ -## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html -## https://github.com/moby/moby/pull/46762 -## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 -## -kernel.io_uring_disabled=2 - -## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. -## Legacy compatibility feature for superseded glibc versions. -## -## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ -## https://lists.openwall.net/linux-kernel/2014/03/11/3 -## -## KSPP=yes -## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. -## -## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation. -## -abi.vsyscall32=0 - -## 2. User Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace - -## Disable the usage of the ptrace() system call by all processes. -## Restrict ptrace() as it enables programs to inspect and modify other active processes. -## Prevents native code debugging which some programs use as a method to detect tampering. -## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. -## -## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope -## https://en.wikipedia.org/wiki/Ptrace -## https://grapheneos.org/features#attack-surface-reduction -## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 -## https://github.com/netblue30/firejail/issues/2860 -## -## KSPP=yes -## KSPP sets the sysctl. -## -## See /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf for implementation. -## -#kernel.yama.ptrace_scope=3 - -## Maximize bits of entropy for improved effectiveness of mmap ASLR. -## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). -## Both explicit sysctl are made redundant due to automation. -## Do NOT enable either sysctl - displaying only for clarity. -## -## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## -## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. -## -#vm.mmap_rnd_bits=32 -#vm.mmap_rnd_compat_bits=16 - -## Prevent hardlink creation by users who do not have read/write/ownership of source file. -## Only allow symlinks to be followed when outside of world-writable sticky directories. -## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. -## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. -## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. -## -## https://wiki.archlinux.org/title/Security#File_systems -## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp -## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU -## -## KSPP=yes -## KSPP sets the sysctls. -## -fs.protected_hardlinks=1 -fs.protected_symlinks=1 - -## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. -## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. -## Prevents unintentional writes to attacker-controlled files. -## -## KSPP=yes -## KSPP sets the sysctls. -## -fs.protected_fifos=2 -fs.protected_regular=2 - -## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Forces shared libraries to be loaded to random addresses. -## Start location of PIE-linked binaries is randomized. -## Heap randomization can lead to breakages with legacy applications. -## -## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.randomize_va_space=2 - -## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth. -## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics. -## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages. -## Some legacy applications may still depend on low virtual memory addresses for proper functionality. -## -## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html -## https://access.redhat.com/articles/20484 -## https://wiki.debian.org/mmap_min_addr -## -## KSPP=yes -## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536. -## -vm.mmap_min_addr=65536 - -## Increase the maximum number of memory map areas a process is permitted to utilize. -## Addresses performance, crash, and start-up issues for some memory-intensive applications. -## Required to accommodate the very large number of guard pages created by hardened_malloc. -## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. -## -## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ -## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems -## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf -## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure -## -vm.max_map_count=1048576 - -## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. -## Prevents registering interpreters for various binary formats based on a magic number or their file extension. -## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will then run with root permissions when a setuid binary is owned by root. -## Can stop maliciously crafted files with specific file extensions from automatically executing. -## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). -## -## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html -## https://salsa.debian.org/debian/binfmt-support -## https://access.redhat.com/solutions/1985633 -## https://en.wikipedia.org/wiki/Binfmt_misc -## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil -## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al -## https://github.com/Kicksecure/security-misc/pull/249 -## -## KSPP=no -## KSPP does not set CONFIG_BINFMT_MISC. -## -## This is disabled by default due to file/folder permission issues: -## https://github.com/Kicksecure/security-misc/issues/267 -## -#fs.binfmt_misc.status=0 - -## 3. Core Dumps: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps - -## Disable core dump files by preventing any pattern names. -## This setting may be overwritten by systemd and is not comprehensive. -## Core dumps are also disabled in security-misc-shared via other means. -## -## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps -## -kernel.core_pattern=|/bin/false - -## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. -## Any process which has changed privilege levels or is execute-only will not be dumped. -## -## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598 -## -## KSPP=yes -## KSPP sets the sysctl. -## -fs.suid_dumpable=0 - -## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. -## If core dumps are permitted, only useful if PID listings are hidden from non-root users. -## -kernel.core_uses_pid=1 - -## 4. Swap Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap - -## Limit the copying of memory to the swap device only if absolutely necessary. -## Minimizes the likelihood of writing potentially sensitive contents to disk. -## Not recommended to set to zero since this disables periodic write behavior. -## -## https://en.wikipedia.org/wiki/Memory_paging#Linux -## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## -vm.swappiness=1 - -## 5. Networking: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network -## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening - -## Enable hardening of the BPF JIT compiler for all users. -## Provides some mitigation against JIT spraying. -## -## https://en.wikipedia.org/wiki/JIT_spraying -## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf -## https://lwn.net/Articles/686098/ -## https://lwn.net/Articles/525609/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -net.core.bpf_jit_harden=2 - -## Enable TCP SYN cookie protection to assist against SYN flood attacks. -## -## https://en.wikipedia.org/wiki/SYN_flood -## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html -## -## KSPP=yes -## KSPP sets CONFIG_SYN_COOKIES=y. -## -net.ipv4.tcp_syncookies=1 - -## Protect against TCP time-wait assassination hazards. -## Drops RST packets for sockets in the time-wait state. -## -## https://tools.ietf.org/html/rfc1337 -## -net.ipv4.tcp_rfc1337=1 - -## Enable reverse path filtering (source validation) of packets received from all interfaces. -## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. -## The second "default" command fixes a bug in the existing kernel implementation. -## -## https://en.wikipedia.org/wiki/IP_address_spoofing -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -## https://seclists.org/oss-sec/2019/q4/122 -## https://github.com/Kicksecure/security-misc/pull/261 -## -net.ipv4.conf.*.rp_filter=1 -net.ipv4.conf.default.rp_filter=1 - -## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimizes information disclosure. -## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). -## Approving gateways requires the managing of a default gateway list. -## -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing -## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html -## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html -## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked -## https://github.com/Kicksecure/security-misc/pull/248 -## -net.ipv4.conf.*.accept_redirects=0 -net.ipv4.conf.*.send_redirects=0 -net.ipv6.conf.*.accept_redirects=0 -#net.ipv4.conf.*.secure_redirects=1 - -## Deny sending and receiving RFC1620 shared media redirects. -## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. -## Stops the kernel from sending ICMP redirects to specific networks from the connected network. -## This variable overrides the use secure_redirects. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://datatracker.ietf.org/doc/html/rfc1620 -## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html -## -net.ipv4.conf.*.shared_media=0 - -## Enable ARP (Address Resolution Protocol) filtering. -## Prevents the Linux kernel from handling the ARP table globally. -## Can mitigate some ARP spoofing and ARP cache poisoning attacks. -## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## -net.ipv4.conf.*.arp_filter=1 - -## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. -## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium -## https://github.com/mullvad/mullvadvpn-app/pull/7141 -## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf -## -## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`. -## https://github.com/Kicksecure/security-misc/pull/290 -## -net.ipv4.conf.*.arp_ignore=2 - -## Drop gratuitous ARP (Address Resolution Protocol) packets. -## Stops ARP responses sent by a device without being explicitly requested. -## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. -## Prevents man-in-the-middle and denial-of-service attacks. -## May cause breakages when ARP proxies are used in the network. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ -## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ -## -net.ipv4.conf.*.drop_gratuitous_arp=1 - -## Ignore ICMP echo requests. -## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. -## -## https://en.wikipedia.org/wiki/Smurf_attack -## -net.ipv4.icmp_echo_ignore_all=1 -net.ipv6.icmp.echo_ignore_all=1 - -## Ignore bogus ICMP error responses. -## Mitigates attacks designed to fill log files with useless error messages. -## -net.ipv4.icmp_ignore_bogus_error_responses=1 - -## Disable source routing which allows users to redirect network traffic. -## Prevents man-in-the-middle attacks in which the traffic is redirected. -## -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing -## -net.ipv4.conf.*.accept_source_route=0 -net.ipv6.conf.*.accept_source_route=0 - -## Do not accept IPv6 router advertisements (RAs) and solicitations. -## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification. -## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access. -## Flooding the network with malicious RAs can lead to denial-of-service attacks. -## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway. -## -## https://datatracker.ietf.org/doc/html/rfc6104 -## https://datatracker.ietf.org/doc/html/rfc6105 -## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf -## -net.ipv6.conf.*.accept_ra=0 - -## Disable SACK and DSACK. -## Select acknowledgements (SACKs) are a known common vector of exploitation. -## Duplicate select acknowledgements (DSACKs) are an extension of SACK. -## Disabling can cause severe connectivity issues on networks with high latency or packet loss. -## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. -## -## https://datatracker.ietf.org/doc/html/rfc2018 -## https://datatracker.ietf.org/doc/html/rfc2883 -## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md -## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 -## -## SACK and DSACK are currently enabled. -## -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 - -## Disable TCP timestamps to limit device fingerprinting via system time. -## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. -## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. -## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. -## -## https://datatracker.ietf.org/doc/html/rfc1323 -## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 -## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html -## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -## -net.ipv4.tcp_timestamps=0 - -## Disable reuse of TIME_WAIT sockets for new outgoing connections. -## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps. -## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection. -## Hence TIME-WAIT sockets should wait the full timeout period before being made available again. -## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections. -## -## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux -## -net.ipv4.tcp_tw_reuse=0 - -## Enable logging of packets with impossible source or destination addresses. -## Martian and unroutable packets may be used for malicious purposes. -## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. -## Useful for troubleshooting and diagnostics but not necessary by default. -## Previously known to cause performance issues, especially on systems with multiple interfaces. -## This no longer seems to be a problem. -## -## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets -## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ -## https://support.scc.suse.com/s/kb/Martian-sources-errors-showing-in-messages-log?language=en_US -## https://github.com/Kicksecure/security-misc/issues/214 -## -net.ipv4.conf.*.log_martians=1 - -## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. -## The temporary/privacy address is used as the source for all outgoing traffic. -## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. -## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. -## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. -## -## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. -## -#net.ipv6.conf.*.use_tempaddr=2 diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index 2d02bc9..0000000 --- a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Coredump] -Storage=none diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop deleted file mode 100644 index 70aca2c..0000000 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. - -#[Network] -#IPv6PrivacyExtensions=kernel diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index 9e513c6..0000000 --- a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[PStore] -Storage=none diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset#security-misc-shared b/usr/lib/systemd/system-preset/50-security-misc.preset#security-misc-shared deleted file mode 100644 index d3c6c17..0000000 --- a/usr/lib/systemd/system-preset/50-security-misc.preset#security-misc-shared +++ /dev/null @@ -1,32 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 -disable hide-hardware-info.service - -## Disable for now until development finished / tested. -disable permission-hardener.service - -## Disable for now until development finished / tested. -## https://github.com/Kicksecure/security-misc/pull/152 -disable remount-secure.service - -## Disable due to pkexec issues. -disable proc-hidepid.service - -## Disable due to issues. See: -## https://github.com/Kicksecure/security-misc/issues/159 -disable harden-module-loading.service - -## TODO: polish, test -## Disable due to timing difficulties. See: -## https://github.com/systemd/systemd/issues/38261#issuecomment-3134580852 -disable ensure-shutdown.service -disable ensure-shutdown-trigger.service - -## TODO: Disabled due to bug: breaks ISO Live Mode Calamares installer -disable emerg-shutdown.service - -## memlockd is needed by emerg-shutdown, but the service is not, the user can -## enable this manually if desired. -disable memlockd.service diff --git a/usr/lib/systemd/system/block-shutdown.service#security-misc-shared b/usr/lib/systemd/system/block-shutdown.service#security-misc-shared deleted file mode 100644 index 3d4be21..0000000 --- a/usr/lib/systemd/system/block-shutdown.service#security-misc-shared +++ /dev/null @@ -1,29 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This unit, if uncommented and started, will prevent the system from ever -## shutting down unless ensure-shutdown.service is enabled and correctly -## configured. If you have enabled ensure-shutdown.service and tuned the -## ENSURE_SHUTDOWN_TIMEOUT and DefaultTimeoutStopSec variables (in -## /etc/security-misc/emerg-shutdown/30_security_misc.conf and -## /etc/systemd/system.conf respectively) and want to make sure -## ensure-shutdown.service actually works, you can uncomment this unit and -## start it with `sudo systemctl start block-shutdown.service`. If the systems -## successfully powers down even with this unit started, -## ensure-shutdown.service is working. - -# [Unit] -# Description=Blocks shutdown indefinitely unless ensure-shutdown.service is enabled -# -# [Service] -# Type=exec -# ExecStart=bash -c -- "trap '' SIGTERM; sleep infinity" -# KillSignal=SIGTERM -# FinalKillSignal=SIGTERM -# RestartKillSignal=SIGTERM -# WatchdogSignal=SIGTERM -# SendSIGHUP=no -# TimeoutStopSec=infinity -# -# [Install] -# WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/emerg-shutdown.service#security-misc-shared b/usr/lib/systemd/system/emerg-shutdown.service#security-misc-shared deleted file mode 100644 index 43d594d..0000000 --- a/usr/lib/systemd/system/emerg-shutdown.service#security-misc-shared +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Emergency shutdown when boot media is removed -Documentation=https://github.com/Kicksecure/security-misc -DefaultDependencies=no -Before=sysinit.target -Requires=systemd-udevd.service -After=systemd-udevd.service -Requires=local-fs.target -After=local-fs.target -ConditionPathExists=!/usr/share/qubes/marker-vm - -[Service] -Type=notify -ExecStart=/usr/libexec/security-misc/emerg-shutdown -NotifyAccess=main - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared b/usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared deleted file mode 100644 index 593f08d..0000000 --- a/usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## NOTE: If enabling this unit, also enable ensure-shutdown.service, otherwise -## this will do nothing. - -[Unit] -Description=Forcibly shut down the system if normal shutdown gets stuck (alternate trigger unit) -Documentation=https://github.com/Kicksecure/security-misc -ConditionPathExists=!/usr/share/qubes/marker-vm - -[Service] -Type=oneshot -RemainAfterExit=true -ExecStart=true -ExecStop=bash -c -- 'echo "d" > /run/emerg-shutdown-trigger' - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared b/usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared deleted file mode 100644 index ad124f5..0000000 --- a/usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared +++ /dev/null @@ -1,26 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## NOTE: If enabling this unit, also enable ensure-shutdown-trigger.service, -## otherwise this will likely be unable to unstick a stuck shutdown. - -[Unit] -Description=Forcibly shut down the system if normal shutdown gets stuck -Documentation=https://github.com/Kicksecure/security-misc -DefaultDependencies=no -Before=sysinit.target -Requires=systemd-udevd.service -After=systemd-udevd.service -Wants=emerg-shutdown.service -After=emerg-shutdown.service -ConditionPathExists=!/usr/share/qubes/marker-vm - -[Service] -Type=oneshot -RemainAfterExit=true -ExecStart=/usr/libexec/security-misc/ensure-shutdown -ExecStop=bash -c -- 'echo "d" > /run/emerg-shutdown-trigger' -KillMode=process - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/harden-module-loading.service#security-misc-shared b/usr/lib/systemd/system/harden-module-loading.service#security-misc-shared deleted file mode 100644 index 8efea40..0000000 --- a/usr/lib/systemd/system/harden-module-loading.service#security-misc-shared +++ /dev/null @@ -1,24 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Disable the loading of additional modules after systemd-modules-load.service -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -Requires=systemd-modules-load.service -After=local-fs.target -After=systemd-modules-load.service - -# This functionality is implemented with this and not directly in the sysctl config is -# to allow systemd-modules-load.service to load the modules with no problem but -# to disallow anyone else do the same after the system boots up. - -[Service] -Type=oneshot -ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared b/usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared deleted file mode 100644 index 136ff7a..0000000 --- a/usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared +++ /dev/null @@ -1,15 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=kill VBoxDRMClient during shutdown to allow /tmp to be unmounted properly -ConditionVirtualization=oracle - -[Service] -Type=oneshot -RemainAfterExit=true -ExecStart=true -ExecStop=/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/panic-on-oops.service#security-misc-shared b/usr/lib/systemd/system/panic-on-oops.service#security-misc-shared deleted file mode 100644 index bf97d7f..0000000 --- a/usr/lib/systemd/system/panic-on-oops.service#security-misc-shared +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Sets 'sysctl' settings relating to kernel panics on both oopses and warnings late during the boot process. -Documentation=https://github.com/Kicksecure/security-misc - -ConditionKernelCommandLine=!panic-on-oops=0 - -After=multi-user.target -After=graphical.target -After=getty.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/security-misc/panic-on-oops enable -ExecStop=/usr/libexec/security-misc/panic-on-oops disable - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/permission-hardener.service#security-misc-shared b/usr/lib/systemd/system/permission-hardener.service#security-misc-shared deleted file mode 100644 index 1285bf0..0000000 --- a/usr/lib/systemd/system/permission-hardener.service#security-misc-shared +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Permission Hardener at Boot Time (opt-in in addition to security-misc-shared package installation time hardening) -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=permission-hardener enable - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/remount-secure.service#security-misc-shared b/usr/lib/systemd/system/remount-secure.service#security-misc-shared deleted file mode 100644 index 2489d34..0000000 --- a/usr/lib/systemd/system/remount-secure.service#security-misc-shared +++ /dev/null @@ -1,32 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Kicksecure/security-misc - -ConditionKernelCommandLine=!remountsecure=0 - -DefaultDependencies=no - -Before=sysinit-post.target -Before=basic.target -Before=multi-user.target -Before=graphical.target -Before=getty-pre.target -Before=network-pre.target - -After=local-fs.target -After=sysinit.target -After=qubes-sysinit.service - -Requires=local-fs.target -Requires=sysinit.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=remount-secure 3 - -[Install] -WantedBy=sysinit-post.target diff --git a/usr/lib/systemd/system/sysinit-post.target#security-misc-shared b/usr/lib/systemd/system/sysinit-post.target#security-misc-shared deleted file mode 100644 index f6ef3ba..0000000 --- a/usr/lib/systemd/system/sysinit-post.target#security-misc-shared +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=sys-init.target by security-misc-shared - -After=sysinit.target -Before=basic.target -Requires=sysinit.target - -[Install] -WantedBy=basic.target diff --git a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index 24cb0da..0000000 --- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -ConditionPathExists=/sys/bus/usb - -[Service] -ExecCondition=/usr/libexec/security-misc/check-for-usb-controller diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf#security-misc-shared b/usr/lib/systemd/system/user@.service.d/sysfs.conf#security-misc-shared deleted file mode 100644 index 3a9129d..0000000 --- a/usr/lib/systemd/system/user@.service.d/sysfs.conf#security-misc-shared +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Service] -SupplementaryGroups=sysfs diff --git a/usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared deleted file mode 100644 index 70accaf..0000000 --- a/usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -ConditionPathExists=/sys/bus/usb diff --git a/usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared b/usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared deleted file mode 100644 index 051af9f..0000000 --- a/usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared +++ /dev/null @@ -1,9 +0,0 @@ -SUBSYSTEM!="input", GOTO="end" - -# new keyboard or mouse attached or removed, restart emerg-shutdown -KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart emerg-shutdown.service" -KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end" -KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart emerg-shutdown.service" -KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end" - -LABEL="end" diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update new file mode 100755 index 0000000..ff58900 --- /dev/null +++ b/usr/libexec/security-misc/apt-get-update @@ -0,0 +1,32 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +sigterm_trap() { + if [ "$lastpid" = "" ]; then + exit 143 + fi + ps -p "$lastpid" >/dev/null 2>&1 + if [ ! "$?" = "0" ]; then + ## Already terminated. + exit 143 + fi + kill -s sigterm "$lastpid" + exit 143 +} + +trap "sigterm_trap" SIGTERM SIGINT + +[ -n "$timeout_after" ] || timeout_after="600" +[ -n "$kill_after" ] || kill_after="10" + +timeout \ + --kill-after="$kill_after" \ + "$timeout_after" \ + apt-get update --error-on=any "$@" & + +lastpid="$!" +wait "$lastpid" + +exit "$?" diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test new file mode 100755 index 0000000..1fab62b --- /dev/null +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -0,0 +1,11 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -x +set -e +set -o pipefail + +wc -L "/var/lib/apt/lists/"*InRelease +wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}' diff --git a/usr/libexec/security-misc/askpass#security-misc-shared b/usr/libexec/security-misc/askpass similarity index 57% rename from usr/libexec/security-misc/askpass#security-misc-shared rename to usr/libexec/security-misc/askpass index d428975..0c24b25 100755 --- a/usr/libexec/security-misc/askpass#security-misc-shared +++ b/usr/libexec/security-misc/askpass @@ -1,10 +1,10 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e title="$0: password required for $(whoami) to perform action as superuser" -yad --password --title="$title" +zenity --password --title="$title" diff --git a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared b/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared deleted file mode 100755 index 3000c68..0000000 --- a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared +++ /dev/null @@ -1,146 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -source /usr/libexec/helper-scripts/package_installed_check.sh - -if [ -z "${PAM_USER:-}" ]; then - true "$0: ERROR: Environment variable 'PAM_USER' is unset!" - ## 'exit 0' here to let the appropriate PAM module handle this. - exit 0 -fi -if [ -z "${PAM_SERVICE:-}" ]; then - true "$0: ERROR: Environment variable 'PAM_SERVICE' is unset!" - ## 'exit 0' here to let the appropriate PAM module handle this. - exit 0 -fi - -if ! pkg_installed 'user-sysmaint-split' ; then - true "$0: INFO: user-sysmaint-split not installed. Proceeding, ok." - exit 0 -fi - -kernel_cmdline='' -if [ -r /proc/cmdline ]; then - kernel_cmdline="$(cat /proc/cmdline)" -elif [ -r /proc/1/cmdline ]; then - kernel_cmdline="$(cat /proc/1/cmdline)" -fi - -if [[ "$kernel_cmdline" =~ 'boot-role=sysmaint' ]]; then - true "INFO: session type: sysmaint session" - if [ "$PAM_USER" != 'sysmaint' ]; then - printf '%s\n' "ERROR: Rejecting non-sysmaint account '$PAM_USER' in sysmaint session!" - exit 1 - fi - true 'INFO: Running in sysmaint session and authenticating as sysmaint account, allowing authentication to proceed.' - exit 0 -fi - -true "INFO: session type: user session" - -if [ "$PAM_USER" = 'sysmaint' ]; then - printf '%s\n' 'ERROR: Rejecting sysmaint account in user session!' - exit 1 -fi - -## Threat model: -## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#Block_Unsafe_Logins - -login_service_list=( 'login' 'greetd' 'sshd' 'swaylock' ) -for login_service in "${login_service_list[@]}"; do - if [ "$PAM_SERVICE" = "$login_service" ]; then - true "INFO: Login service '$PAM_SERVICE' is considered safe, allowing authentication to proceed." - exit 0 - fi -done - -true "INFO: Login service '$PAM_SERVICE' is potentially unsafe, checking if account is sensitive and passwordless." - -if ! user_list_str="$(/usr/libexec/helper-scripts/get-user-list)"; then - printf '%s\n' 'ERROR: Failed to get user list!' - exit 1 -fi -readarray -t user_list <<< "$user_list_str" -if [ "${#user_list[@]}" = '0' ] || [ -z "${user_list[0]}" ]; then - printf '%s\n' 'ERROR: No user accounts found!' - exit 1 -fi - -## Minor race condition here, quick deletion of users during this process -## could result in user_list and passwd_status_list becoming misaligned. This -## attack would require root privileges to execute though, so this is likely -## not a concern. We do this before checking if $PAM_USER is in the list of -## interactive users to keep the race window as short as possible. -## -## NOTE: PAM modules may run as non-root in some instances (such as when used -## by Swaylock). -if [ "$(id -u)" = '0' ]; then - passwd_status_list_cmd=( - '/usr/libexec/helper-scripts/get-password-status-list' - ) -else - passwd_status_list_cmd=( 'leaprun' 'get-password-status-list' ) -fi -if ! password_status_list_str="$("${passwd_status_list_cmd[@]}")"; then - printf '%s\n' 'ERROR: Failed to get password status list!' - exit 1 -fi -readarray -t passwd_status_list <<< "$password_status_list_str" -if [ "${#passwd_status_list[@]}" = '0' ] \ - || [ -z "${passwd_status_list[0]}" ] \ - || (( ${#passwd_status_list[@]} != ${#user_list[@]} )); then - printf '%s\n' 'ERROR: Unexpected number of password status entries!' - exit 1 -fi - -interactive_user_idx='-1' -for user_idx in "${!user_list[@]}"; do - if [ "${user_list[user_idx]}" = "$PAM_USER" ]; then - interactive_user_idx="$user_idx" - break - fi -done -if [ "$interactive_user_idx" = '-1' ]; then - ## This isn't a user account we care about (it's not an interactive - ## account), therefore allow authentication to proceed. - true "INFO: Account '$PAM_USER' is not an interactive account, allowing authentication to proceed." - exit 0 -fi - -IFS=' ' read -r -a user_gid_list < <(id --groups -- "$PAM_USER") -sensitive_group_list=( 'sudo' 'root' 'sysmaint' ) -is_user_sensitive='false' - -for sensitive_group in "${sensitive_group_list[@]}"; do - sensitive_gid="$(accountctl "$sensitive_group" get-entry group gid)" - for user_gid in "${user_gid_list[@]}"; do - if [ "$sensitive_gid" = "$user_gid" ]; then - is_user_sensitive='true' - break - fi - done - if [ "$is_user_sensitive" = 'true' ]; then - break - fi -done - -if [ "$is_user_sensitive" = 'true' ]; then - if [ "${passwd_status_list[interactive_user_idx]}" = 'Absent' ]; then - ## User account is sensitive and passwordless, deny authentication - printf '%s\n' "ERROR: Rejecting passwordless sensitive account '$PAM_USER'!" - exit 1 - else - true "INFO: Account '$PAM_USER' is sensitive but protected, allowing authentication to proceed." - exit 0 - fi -fi - -true "INFO: Account '$PAM_USER' is not sensitive, allowing authentication to proceed." -exit 0 diff --git a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared deleted file mode 100755 index 3c00602..0000000 --- a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -e - -export LC_ALL='C' - -## Package 'pciutils' provides tool 'lspci'. -command -v lspci &>/dev/null - -if lspci | grep --quiet '^[^ ]* USB controller: '; then - exit 0 -fi - -exit 1 diff --git a/usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared b/usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared deleted file mode 100755 index 817d859..0000000 --- a/usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -x -set -e - -sysctl -w kernel.modules_disabled=1 - -true "The loading of new modules to the kernel has been disabled by package security-misc-shared." diff --git a/usr/libexec/security-misc/echo-path#security-misc-shared b/usr/libexec/security-misc/echo-path similarity index 52% rename from usr/libexec/security-misc/echo-path#security-misc-shared rename to usr/libexec/security-misc/echo-path index 3bcc2cd..9420ff5 100755 --- a/usr/libexec/security-misc/echo-path#security-misc-shared +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/emerg-shutdown#security-misc-shared b/usr/libexec/security-misc/emerg-shutdown#security-misc-shared deleted file mode 100755 index 12fad3e..0000000 --- a/usr/libexec/security-misc/emerg-shutdown#security-misc-shared +++ /dev/null @@ -1,100 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -## Make sure globs sort in a predictable, reproducible fashion -export LC_ALL=C - -in_dracut='false' -if [ -f '/dracut-state.sh' ]; then - in_dracut='true' -fi -binary_prefix='/run' -EMERG_SHUTDOWN_KEYS='' -root_devices[0]='' - -gcc_hardening_options=( - "-O2" "-Wall" "-Wextra" "-Wformat" "-Wformat=2" "-Wconversion" - "-Wimplicit-fallthrough" "-Werror=format-security" "-Werror=implicit" - "-Werror=int-conversion" "-Werror=incompatible-pointer-types" - "-Wformat-overflow" "-Wformat-signedness" "-Wnull-dereference" "-Winit-self" - "-Wmissing-include-dirs" "-Wshift-negative-value" "-Wshift-overflow" - "-Wswitch-default" "-Wuninitialized" "-Walloca" "-Warray-bounds" - "-Wfloat-equal" "-Wshadow" "-Wpointer-arith" "-Wundef" "-Wunused-macros" - "-Wbad-function-cast" "-Wcast-qual" "-Wcast-align" "-Wwrite-strings" - "-Wdate-time" "-Wstrict-prototypes" "-Wold-style-definition" - "-Wredundant-decls" "-Winvalid-utf8" "-Wvla" "-Wdisabled-optimization" - "-Wstack-protector" "-Wdeclaration-after-statement" "-Wtrampolines" - "-Wbidi-chars=any,ucn" "-Wformat-overflow=2" "-Wformat-truncation=2" - "-Wshift-overflow=2" "-Wtrivial-auto-var-init" "-Wstringop-overflow=3" - "-Wstrict-flex-arrays" "-Walloc-zero" "-Warray-bounds=2" - "-Wattribute-alias=2" "-Wduplicated-branches" "-Wduplicated-cond" - "-Wcast-align=strict" "-Wjump-misses-init" "-Wlogical-op" "-U_FORTIFY_SOURCE" - "-D_FORTIFY_SOURCE=3" "-fstack-clash-protection" "-fstack-protector-all" - "-fno-delete-null-pointer-checks" "-fno-strict-aliasing" - "-fstrict-flex-arrays=3" "-ftrivial-auto-var-init=pattern" "-fPIE" -) - -gcc_machine="$(gcc -dumpmachine)" -if [ "${gcc_machine}" = 'x86_64-linux-gnu' ]; then - gcc_hardening_options+=( '-fcf-protection=full' ) -elif [ "${gcc_machine}" = 'aarch64-linux-gnu' ]; then - gcc_hardening_options+=( '-mbranch-protection=standard' ) -fi - -gcc_hardening_options+=( - "-Wl,-z,nodlopen" "-Wl,-z,noexecstack" "-Wl,-z,relro" "-Wl,-z,now" - "-Wl,--as-needed" "-Wl,--no-copy-dt-needed-entries" "-pie" -) - -## Read emergency shutdown key configuration -for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do - if [ -f "${config_file}" ]; then - bash -n "${config_file}" - source "${config_file}" - fi -done - -if [ "${in_dracut}" = 'true' ]; then - binary_prefix='' - modprobe evdev || { - printf '%s\n' 'Failed to load evdev driver!' - exit 1 - } - ## modules may not work immediately after loaded, give them time to - ## initialize - sleep 0.1 -else - ## Find the devices that make up the root device - readarray -t root_devices < <(/usr/libexec/helper-scripts/get-backing-devices-for-mountpoint '/') || true; - - ## Build the actual emerg-shutdown executable - if [ ! -f '/run/emerg-shutdown' ]; then - gcc \ - -g \ - /usr/src/security-misc/emerg-shutdown.c \ - -o \ - /run/emerg-shutdown \ - -static \ - "${gcc_hardening_options[@]}" \ - || { - printf "%s\n" 'Could not compile force-shutdown executable!' - exit 1 - } - fi - - ## memlockd daemonizes itself, so no need to background it. - memlockd -c /usr/share/security-misc/security-misc-memlockd.cfg || true -fi - -systemd-notify --ready - -## Launch emerg-shutdown -IFS=',' -"${binary_prefix}/emerg-shutdown" "--devices=${root_devices[*]}" "--keys=${EMERG_SHUTDOWN_KEYS}" diff --git a/usr/libexec/security-misc/ensure-shutdown#security-misc-shared b/usr/libexec/security-misc/ensure-shutdown#security-misc-shared deleted file mode 100755 index 85ab31d..0000000 --- a/usr/libexec/security-misc/ensure-shutdown#security-misc-shared +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -# See the file COPYING for copying conditions. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -source /usr/libexec/helper-scripts/strings.bsh - -## Make sure globs sort in a predictable, reproducible fashion -export LC_ALL=C - -## Read emergency shutdown key configuration -for config_file in /etc/security-misc/emerg-shutdown/*.conf /usr/local/etc/security-misc/emerg-shutdown/*.conf; do - if [ -f "${config_file}" ]; then - bash -n "${config_file}" - source "${config_file}" - fi -done -if [ -z "${ENSURE_SHUTDOWN_TIMEOUT}" ] \ - || ! is_whole_number "${ENSURE_SHUTDOWN_TIMEOUT}"; then - ENSURE_SHUTDOWN_TIMEOUT=30; -fi - -/run/emerg-shutdown --monitor-fifo "--timeout=${ENSURE_SHUTDOWN_TIMEOUT}" & -sleep 1 -disown -exit 0 diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info new file mode 100755 index 0000000..59850ae --- /dev/null +++ b/usr/libexec/security-misc/hide-hardware-info @@ -0,0 +1,96 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +sysfs_whitelist=1 +cpuinfo_whitelist=1 + +## https://www.whonix.org/wiki/Security-misc#selinux +selinux=1 + +shopt -s nullglob + +## Allows for disabling the whitelist. +for i in /etc/hide-hardware-info.d/*.conf +do + bash -n "${i}" + source "${i}" +done + +create_whitelist() { + if [ "${1}" = "sysfs" ]; then + whitelist_path="/sys" + elif [ "${1}" = "cpuinfo" ]; then + whitelist_path="/proc/cpuinfo" + else + echo "ERROR: ${1} is not a correct parameter." + exit 1 + fi + + if grep -q "${1}" /etc/group; then + ## Changing the permissions of /sys recursively + ## causes errors as the permissions of /sys/kernel/debug + ## and /sys/fs/cgroup cannot be changed. + chgrp -fR "${1}" "${whitelist_path}" || true + + chmod o-rwx "${whitelist_path}" + else + echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." + fi +} + +## sysfs and debugfs expose a lot of information +## that should not be accessible by an unprivileged +## user which includes hardware info, debug info and +## more. This restricts /sys, /proc/cpuinfo, /proc/bus +## and /proc/scsi to the root user only. This hides +## many hardware identifiers from ordinary users +## and increases security. +for i in /proc/cpuinfo /proc/bus /proc/scsi /sys +do + if [ -e "${i}" ]; then + if [ "${i}" = "/sys" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + chmod og-rwx /sys + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + fi + elif [ "${i}" = "/proc/cpuinfo" ]; then + ## Whitelist for /proc/cpuinfo. + if [ "${cpuinfo_whitelist}" = "1" ]; then + create_whitelist cpuinfo + else + chmod og-rwx /proc/cpuinfo + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." + fi + else + chmod og-rwx "${i}" + fi + else + ## /proc/scsi doesn't exist on Debian so errors + ## are expected here. + if ! [ "${i}" = "/proc/scsi" ]; then + echo "ERROR: ${i} could not be found." + fi + fi +done + +## https://www.whonix.org/wiki/Security-misc#selinux +## +## on SELinux systems, at least /sys/fs/selinux +## must be visible to unprivileged users, else +## SELinux userspace utilities will not function +## properly +if [ -d /sys/fs/selinux ]; then + if [ "${selinux}" = "1" ]; then + chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi +fi diff --git a/usr/libexec/security-misc/hide-hardware-info#security-misc-shared b/usr/libexec/security-misc/hide-hardware-info#security-misc-shared deleted file mode 100755 index acf24ef..0000000 --- a/usr/libexec/security-misc/hide-hardware-info#security-misc-shared +++ /dev/null @@ -1,138 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail -shopt -s nullglob - -run_cmd() { - echo "INFO: normal executing : $@" - "$@" -} - -run_cmd_whitelist() { - echo "INFO: whitelist executing: $@" - "$@" -} - -echo "$0: INFO: START" - -default_variables_set() { - sysfs_whitelist=1 - cpuinfo_whitelist=1 - sysfs=1 - ## https://www.kicksecure.com/wiki/Security-misc#selinux - selinux=0 -} - -parse_configuration() { - ## Allows for disabling the whitelist. - local i - for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do - bash -n "${i}" - source "${i}" - done -} - -create_whitelist() { - if [ "${1}" = "sysfs" ]; then - whitelist_path="/sys" - elif [ "${1}" = "cpuinfo" ]; then - whitelist_path="/proc/cpuinfo" - else - echo "ERROR: ${1} is not a correct parameter." - exit 1 - fi - - if grep -q "${1}" /etc/group; then - ## Changing the permissions of /sys recursively - ## causes errors as the permissions of /sys/kernel/debug - ## and /sys/fs/cgroup cannot be changed. - run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true - - run_cmd_whitelist chmod o-rwx "${whitelist_path}" - else - echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." - fi -} - -default_variables_set -parse_configuration - -## sysfs and debugfs expose a lot of information -## that should not be accessible by an unprivileged -## user which includes hardware info, debug info and -## more. This restricts /sys, /proc/cpuinfo, /proc/bus -## and /proc/scsi to the root user only. This hides -## many hardware identifiers from ordinary users -## and increases security. -for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do - if [ -e "${i}" ]; then - if [ "${i}" = "/sys" ]; then - if [ "${sysfs}" = "1" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..." - run_cmd chmod og-rwx /sys - fi - fi - elif [ "${i}" = "/proc/cpuinfo" ]; then - if [ "${cpuinfo_whitelist}" = "1" ]; then - create_whitelist cpuinfo - else - echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..." - run_cmd chmod og-rwx /proc/cpuinfo - fi - else - run_cmd chmod og-rwx "${i}" - fi - else - ## /proc/scsi doesn't exist on Debian so errors - ## are expected here. - if ! [ "${i}" = "/proc/scsi" ]; then - echo "ERROR: ${i} could not be found." - fi - fi -done - - -if [ "${sysfs}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* ; do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - run_cmd chmod o-rwx "${i}" || true - else - run_cmd chmod og-rwx "${i}" || true - fi - done - - ## polkit needs stat access to /sys/fs/cgroup - ## to function properly - run_cmd chmod o+rx /sys /sys/fs - - ## on SELinux systems, at least /sys/fs/selinux - ## must be visible to unprivileged users, else - ## SELinux userspace utilities will not function - ## properly - if [ -d /sys/fs/selinux ]; then - echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" - echo "https://www.kicksecure.com/wiki/Security-misc#selinux" - if [ "${selinux}" = "1" ]; then - run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." - fi - fi -fi - -echo "$0: INFO: END" diff --git a/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared b/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared deleted file mode 100755 index 677dc90..0000000 --- a/usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See file COPYING for copying conditions. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -vboxdrmclient_sock='/tmp/.iprt-localipc-DRMIpcServer' - -if ! [ -S "$vboxdrmclient_sock" ]; then - printf '%s\n' "INFO: Socket file '$vboxdrmclient_sock' does not exist or is not a socket, ok." - exit 0 -fi - -sock_pid="$(/usr/libexec/helper-scripts/query-sock-pid "$vboxdrmclient_sock")" || true -if [ -z "$sock_pid" ]; then - printf '%s\n' "INFO: Cannot get PID listening on '$vboxdrmclient_sock', ok." - exit 0 -fi -if kill -SIGKILL -- "$sock_pid"; then - printf '%s\n' "INFO: Killed VBoxDRMClient ('$sock_pid'), ok." - exit 0 -fi - -printf '%s\n' "ERROR: Could not kill VBoxDRMClient ('$sock_pid')!" -exit 1 diff --git a/usr/libexec/security-misc/mmap-rnd-bits#security-misc-shared b/usr/libexec/security-misc/mmap-rnd-bits#security-misc-shared deleted file mode 100755 index 25745c2..0000000 --- a/usr/libexec/security-misc/mmap-rnd-bits#security-misc-shared +++ /dev/null @@ -1,81 +0,0 @@ -#!/usr/bin/env bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This script enforces the maximum ASLR hardening settings for mmap, given the -## installed Linux config. -## See also: -## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 - -set -euo pipefail -shopt -s failglob - -more_info_link="https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" -aslr_mmap_config_file="/etc/sysctl.d/30_security-misc_aslr-mmap.conf" - -exit_with_error() { - echo "$0: SEE ALSO:" >&2 - echo "" >&2 - echo "$more_info_link" >&2 - exit 1 -} - -if ! test -d /etc/sysctl.d ; then - echo "$0: ERROR: Folder /etc/sysctl.d does not exist!" >&2 - exit_with_error -fi - -if ! test -w /etc/sysctl.d ; then - echo "$0: ERROR: Folder /etc/sysctl.d not writeable! This script is supposed to be run as root." >&2 - exit_with_error -fi - -## Defaults in case Linux config detection fails. These are likely to work fine -## on x86_64, probably not elsewhere. -BITS_MAX_DEFAULT=32 -COMPAT_BITS_MAX_DEFAULT=16 - -## Find the most recently modified Linux config file. -if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then - ## Find the relevant config options. - if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2 - BITS_MAX="${BITS_MAX_DEFAULT}" - fi - if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2 - COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" - fi -else - ## Could be a chroot. - echo "$0: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'). Therefore using built-in defaults." >&2 - BITS_MAX="${BITS_MAX_DEFAULT}" - COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" -fi - -## Generate a sysctl.d conf file. -SYSCTL="\ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This file is automatically generated by: -## $0 -## Do not edit! -## See also: -## $more_info_link - -## Improves ASLR effectiveness for mmap. -vm.mmap_rnd_bits=${BITS_MAX} -vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" - -## Write the sysctl.d conf file. -if echo "${SYSCTL}" | tee "$aslr_mmap_config_file" > /dev/null ; then - echo "$0: INFO: Successfully written ASLR map config file: -$aslr_mmap_config_file" - exit 0 -fi - -echo "$0: ERROR: Error writing ASLR map config file: -$aslr_mmap_config_file" >&2 -exit_with_error diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared b/usr/libexec/security-misc/pam-abort-on-locked-password similarity index 83% rename from usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared rename to usr/libexec/security-misc/pam-abort-on-locked-password index 35c2dd4..1fc8013 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,23 +1,23 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 -passwd_bin="$(type -P -- "passwd")" +passwd_bin="$(type -P "passwd")" if ! test -x "$passwd_bin" ; then echo "\ $0: ERROR: passwd_bin \"$passwd_bin\" is not executable. -See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 +See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 ## Identifiable exit codes in case stdout / stderr is not logged in journal. exit 2 fi -if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then +if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 exit 3 fi @@ -34,7 +34,7 @@ elif [ "$password_status_field" = "L" ]; then if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then if [ "$PAM_USER" = "root" ]; then echo "$0: ERROR: root account is locked by default. See:" >&2 - echo "https://www.kicksecure.com/wiki/root" >&2 + echo "https://www.whonix.org/wiki/root" >&2 echo "" >&2 exit 4 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info new file mode 100755 index 0000000..eef5733 --- /dev/null +++ b/usr/libexec/security-misc/pam-info @@ -0,0 +1,154 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" + +## Check if grep matched something. +if [ ! "$grep_result" = "" ]; then + ## Yes, grep matched. + + ## Check if not out commented. + if ! echo "$grep_result" | grep -q "#" ; then + ## Not out commented indeed. + + ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 + + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then + console_allowed=true + fi + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then + console_allowed=true + fi + + if [ ! "$console_allowed" = "true" ]; then + echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2 + echo "$0: To unlock, run the following command as superuser:" >&2 + echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 + echo "" >&2 + echo "addgroup $PAM_USER console" >&2 + echo "" >&2 + echo "$0: However, possibly unlock procedure is required." >&2 + echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 + echo "$0: See also:" >&2 + echo "https://www.whonix.org/wiki/root#console" >&2 + echo "" >&2 + exit 0 + fi + fi +fi + +## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 + +if [ ! "$(id -u)" = "0" ]; then + ## as user "user" + ## /usr/sbin/faillock -u user + ## faillock: Error opening /var/log/tallylog for update: Permission denied + ## /usr/sbin/faillock: Authentication error + ## + ## xscreensaver runs as user "user", therefore pam_faillock cannot function. + ## xscreensaver has its own failed login counter. + ## + ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts + ## + ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html + ## TODO: echo -> true + echo "$0: not started as root, exiting." + exit 0 +fi + +## Does not work (yet) for login, pam_securetty runs before and aborts. +## Also this should only run for login since securetty covers only login. +# if [ "$PAM_USER" = "root" ]; then +# if [ -f /etc/securetty ]; then +# grep_result="$(grep "^[^#]" /etc/securetty)" +# if [ "$grep_result" = "" ]; then +# echo "$0: ERROR: Root login is disabled." >&2 +# echo "$0: ERROR: This is because /etc/securetty is empty." >&2 +# echo "$0: See also:" >&2 +# echo "https://www.whonix.org/wiki/root#login" >&2 +# echo "" >&2 +# exit 0 +# fi +# fi +# fi + +## Using || true to not break read-only disk boot without ro-mode-init or grub-live. +pam_faillock_output="$(faillock --user "$PAM_USER")" || true + +if [ "$pam_faillock_output" = "" ]; then + true "$0: no failed login" + exit 0 +fi + +## Example: +## user: +## When Type Source Valid +## 2021-08-10 16:26:33 RHOST V +## 2021-08-10 16:26:54 RHOST V + +pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)" +user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" + +pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" + +failed_login_counter=$(( pam_faillock_output_count - 2 )) + +if [ ! "$PAM_USER" = "$user_name" ]; then + echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +if [ "$failed_login_counter" = "0" ]; then + true "$0: INFO: Failed login counter is 0, ok." + exit 0 +fi + +## pam_faillock default +deny=3 + +if test -f /etc/security/faillock.conf ; then + deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") + deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" + ## Example: + #deny=50 +fi + +if [[ "$deny" == *[!0-9]* ]]; then + echo "$0: ERROR: deny is not numeric. deny: '$deny'" >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +remaining_attempts="$(( $deny - $failed_login_counter ))" + +if [ "$remaining_attempts" -le "0" ]; then + echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2 + echo "$0: To unlock, run the following command as superuser:" >&2 + echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 + echo "" >&2 + echo "faillock --reset --user $PAM_USER" >&2 + echo "" >&2 + echo "$0: However, most likely unlock procedure is required." >&2 + echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 + echo "$0: See also:" >&2 + echo "https://www.whonix.org/wiki/root#unlock" >&2 + echo "" >&2 + exit 0 +fi + +echo "$0: WARNING: $failed_login_counter failed login attempts." >&2 +echo "$0: Login will be blocked after $deny attempts." >&2 +echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 +echo "" >&2 + +if [ "$PAM_SERVICE" = "su" ]; then + echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2 + echo "" >&2 +fi + +exit 0 diff --git a/usr/libexec/security-misc/pam-info#security-misc-shared b/usr/libexec/security-misc/pam-info#security-misc-shared deleted file mode 100755 index 322f147..0000000 --- a/usr/libexec/security-misc/pam-info#security-misc-shared +++ /dev/null @@ -1,287 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## To enable debug log, run: -## sudo touch /etc/pam-info-debug -## -## Debug log if enabled can be found in file: -## /root/pam-info-debug.txt - -true "$0: START PHASE 1" - -if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then - set -x - exec 5>&1 1>> ~/pam-info-debug.txt - exec 6>&2 2>> ~/pam-info-debug.txt -fi - -true "$0: START PHASE 2" - -set -o errexit -set -o errtrace -set -o pipefail -set -o nounset - -error_handler() { - exit_code="$?" - printf '%s\n' "\ -$0: ERROR: Unexpected error. -BASH_COMMAND: '$BASH_COMMAND' -exit_code: '$exit_code' -ERROR: Please report this bug." >&2 - exit 1 -} - -trap error_handler ERR - -if ! printf '%s\n' "" | wc -l >/dev/null ; then - printf '%s\n' "\ -$0: ERROR: command 'wc' test failed! Do not ignore this! - -'wc' can core dump. Example: -zsh: illegal hardware instruction (core dumped) wc -l -https://github.com/rspamd/rspamd/issues/5137" >&2 - exit 1 -fi - -command -v str_replace &>/dev/null - -## Named constants. -pam_faillock_state_dir="/var/lib/security-misc/faillock" - -[[ -v PAM_USER ]] || PAM_USER="" -[[ -v SUDO_USER ]] || SUDO_USER="" - -## Debugging. -who_ami="$(whoami)" -true "$0: who_ami: $who_ami" -true "$0: PAM_USER: $PAM_USER" -true "$0: SUDO_USER: $SUDO_USER" - -if [ "$PAM_USER" = "" ]; then - true "$0: ERROR: Environment variable PAM_USER is unset!" - exit 0 -fi - -grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true - -## Check if grep matched something. -if [ ! "$grep_result" = "" ]; then - ## Yes, grep matched. - - ## Check if not out commented. - if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then - ## Not out commented indeed. - - ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - - console_allowed="" - if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then - console_allowed=true - fi - if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then - console_allowed=true - fi - - if [ ! "$console_allowed" = "true" ]; then - printf '%s\n' "\ -$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' -To unlock, run the following command as superuser: -(If you still have a sudo/root shell somewhere.) - -adduser $PAM_USER console - -However, possibly unlock procedure is required. -First boot into recovery mode at grub boot menu and then run above command. -See also: -https://www.kicksecure.com/wiki/root#console -" >&2 - exit 0 - fi - fi -fi - -if [ "$PAM_USER" = 'sysmaint' ]; then - sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true - sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" - if [ "${sysmaint_lock_info}" = 'L' ]; then - printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 - fi -fi - -kernel_cmdline='' -if [ -f /proc/cmdline ]; then - kernel_cmdline="$(cat -- /proc/cmdline)" || true -elif [ -f /proc/1/cmdline ]; then - kernel_cmdline="$(cat -- /proc/1/cmdline)" || true -fi - -if [ "$PAM_USER" != 'sysmaint' ]; then - if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 - fi -fi - -## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 - -## Does not work (yet) for login, pam_securetty runs before and aborts. -## Also this should only run for login since securetty covers only login. -# if [ "$PAM_USER" = "root" ]; then -# if [ -f /etc/securetty ]; then -# grep_result="$(grep -- "^[^#]" /etc/securetty)" -# if [ "$grep_result" = "" ]; then -# printf '%s\n' "\ -# $0: ERROR: Root login is disabled. -# ERROR: This is because file '/etc/securetty' is empty. -# See also: -# https://www.kicksecure.com/wiki/root#login -# " >&2 -# exit 0 -# fi -# fi -# fi - -## under account "user" -## /usr/sbin/faillock -u user -## faillock: Error opening /var/log/tallylog for update: Permission denied -## /usr/sbin/faillock: Authentication error -## -## xscreensaver runs under account "user", therefore pam_faillock cannot function. -## xscreensaver has its own failed login counter. -## -## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts -## -## https://web.archive.org/web/20200919221439/https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html -## -## Checking exit code to avoid breaking when read-only disk boot but -## without ro-mode-init or grub-live being used. -## -## end-of-options ("--") unsupported by faillock. -if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then - true "$0: faillock non-zero exit code." - exit 0 -fi - -if [ "$pam_faillock_output" = "" ]; then - true "$0: no failed login" - exit 0 -fi - -## example pam_faillock_output (stdout): -## user: -## When Type Source Valid -## 2021-08-10 16:26:33 RHOST V -## 2021-08-10 16:26:54 RHOST V - -## example pam_faillock_output (stderr): -## faillock: No user name supplied. -## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] - -## Get first line. -#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)" -while read -t 10 -r pam_faillock_output_first_line ; do - break -done <<< "$pam_faillock_output" - -true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" -## example pam_faillock_output_first_line: -## user: - -user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")" -## example user_name: -## user -## root - -if [ "$PAM_USER" != "$user_name" ]; then - printf '%s\n' "\ -$0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'. -ERROR: Please report this bug. -" >&2 - exit 1 -fi - -pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" -## example pam_faillock_output_count: -## 2 -## example pam_faillock_output_count: -## 4 - -if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then - printf '%s\n' "\ -$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count' -ERROR: Please report this bug. -" >&2 - exit 0 -fi - -## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, -failed_login_counter=$(( pam_faillock_output_count - 2 )) - -## example failed_login_counter: -## 2 - -## Ensuring failed_login_counter is not set to a negative value. -## https://github.com/Kicksecure/security-misc/pull/305 -if [ "$failed_login_counter" -lt "0" ]; then - true "$0: WARNING: Failed login counter is negative. Resetting to 0." - failed_login_counter=0 -fi - -if [ "$failed_login_counter" = "0" ]; then - true "$0: INFO: Failed login counter is 0, ok." - exit 0 -fi - -## pam_faillock default if it cannot be determined below. -deny=3 - -if test -f /etc/security/faillock.conf ; then - deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true - deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" - ## Example: - #deny=50 -fi - -if [[ "$deny" == *[!0-9]* ]]; then - printf '%s\n' "\ -$0: ERROR: Variable 'deny' is not numeric. deny: '$deny' -ERROR: Please report this bug. -" >&2 - exit 0 -fi - -remaining_attempts="$(( deny - failed_login_counter ))" - -if [ "$remaining_attempts" -le "0" ]; then - printf '%s\n' "\ -$0: ERROR: Login blocked after $failed_login_counter attempts. -To unlock, run the following command as superuser: -(If you still have a sudo/root shell somewhere.) - -faillock --dir $pam_faillock_state_dir --reset --user $PAM_USER - -However, most likely unlock procedure is required. -First boot into recovery mode at grub boot menu and then run above command. -See also: -https://www.kicksecure.com/wiki/root#unlock -" >&2 - exit 0 -fi - -printf '%s\n' "\ -$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'. -Login will be blocked after $deny attempts. -You have $remaining_attempts more attempts before unlock procedure is required. -" >&2 - -if [ "$PAM_SERVICE" = "su" ]; then - printf '%s\n' "\ -$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. -" >&2 -fi - -true "$0: END" - -exit 0 diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared b/usr/libexec/security-misc/pam_faillock_not_if_x similarity index 94% rename from usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared rename to usr/libexec/security-misc/pam_faillock_not_if_x index 433dca8..26cbc43 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login#security-misc-shared b/usr/libexec/security-misc/pam_only_if_login similarity index 87% rename from usr/libexec/security-misc/pam_only_if_login#security-misc-shared rename to usr/libexec/security-misc/pam_only_if_login index 568f037..489e044 100755 --- a/usr/libexec/security-misc/pam_only_if_login#security-misc-shared +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_su#security-misc-shared b/usr/libexec/security-misc/pam_only_if_su#security-misc-shared deleted file mode 100755 index 604510f..0000000 --- a/usr/libexec/security-misc/pam_only_if_su#security-misc-shared +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Similar to: -## /usr/libexec/security-misc/pam_only_if_login - -set -x - -true "PAM_SERVICE: $PAM_SERVICE" - -if [ "$PAM_SERVICE" = "su" ]; then - exit 1 -else - exit 0 -fi diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops new file mode 100755 index 0000000..c0c001b --- /dev/null +++ b/usr/libexec/security-misc/panic-on-oops @@ -0,0 +1,18 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + ## pre.bsh would `source` the following folders: + ## /etc/panic-on-oops_pre.d/*.conf + ## /usr/local/etc/panic-on-oops_pre.d/*.conf + source /usr/libexec/helper-scripts/pre.bsh +fi + +## Makes the kernel panic on oopses. This prevents the kernel +## from continuing to run a flawed processes. Many kernel exploits +## will also cause an oops which this will make the kernel kill. +sysctl kernel.panic_on_oops=1 diff --git a/usr/libexec/security-misc/panic-on-oops#security-misc-shared b/usr/libexec/security-misc/panic-on-oops#security-misc-shared deleted file mode 100755 index ca8a0ce..0000000 --- a/usr/libexec/security-misc/panic-on-oops#security-misc-shared +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -e - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/panic-on-oops_pre.d/*.conf - ## /usr/local/etc/panic-on-oops_pre.d/*.conf - source /usr/libexec/helper-scripts/pre.bsh -fi - -action="${1:-}" - -if [ "${action}" = 'enable' ]; then - ## Makes the kernel immediately panic on both oopses and warnings. - ## These settings force a full system crash rather than continuing - ## to run after an inconsistent state is triggered by a potentially - ## flawed processes. The reasons for the errors could be kernel - ## exploit attempts but may also simply be general software bugs. - ## - ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit - sysctl kernel.oops_limit=1 - ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit - sysctl kernel.warn_limit=1 -elif [ "${action}" = 'disable' ]; then - sysctl kernel.oops_limit=0 - sysctl kernel.warn_limit=0 -else - printf '%s\n' "ERROR: Unrecognized action '${action}'!" - exit 1 -fi diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening new file mode 100755 index 0000000..33b4f27 --- /dev/null +++ b/usr/libexec/security-misc/permission-hardening @@ -0,0 +1,478 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/disable-suid-binaries/7706 +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +## To view previous modes and how these were changed: +## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride + +## To undo: +## sudo /usr/libexec/security-misc/permission-hardening-undo + +#set -x +set -e +set -o pipefail + +exit_code=0 + +mkdir -p /var/lib/permission-hardening/existing_mode +mkdir -p /var/lib/permission-hardening/new_mode +dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" + +echo_wrapper_ignore() { + echo "run: $@" + "$@" 2>/dev/null || true +} + +echo_wrapper_silent_ignore() { + #echo "run: $@" + "$@" 2>/dev/null || true +} + +echo_wrapper_audit() { + echo "run: $@" + return_code=0 + "$@" || \ + { \ + return_code="$?" ; \ + exit_code=203 ; \ + echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ + }; +} + +echo_wrapper_silent_audit() { + #echo "run (debugging): $@" + return_code=0 + "$@" || \ + { \ + return_code="$?" ; \ + exit_code=204 ; \ + echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ + }; +} + +sanity_tests() { + echo_wrapper_silent_audit which \ + capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null +} + +add_nosuid_statoverride_entry() { + local fso_to_process + fso_to_process="$fso" + local should_be_counter + should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true + local counter_actual + counter_actual=0 + + local line + while read -r line; do + true "line: $line" + counter_actual="$(( counter_actual + 1 ))" + + local arr file_name existing_mode existing_owner existing_group + arr=($line) + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. line: '$line'" >&2 + continue + fi + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_group" = "" ]; then + echo "ERROR: existing_group is empty. line: '$line'" >&2 + continue + fi + + ## -h file True if file is a symbolic Link. + ## -u file True if file has its set-user-id bit set. + ## -g file True if file has its set-group-id bit set. + + if test -h "$file_name" ; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + true "skip symlink: $file_name" + continue + fi + + if test -d "$file_name" ; then + true "skip directory: $file_name" + continue + fi + + local setuid setuid_output setsgid setsgid_output + setuid="" + setuid_output="" + if test -u "$file_name" ; then + setuid=true + setuid_output="set-user-id" + fi + setsgid="" + setsgid_output="" + if test -g "$file_name" ; then + setsgid=true + setsgid_output="set-group-id" + fi + + local setuid_or_setsgid + setuid_or_setsgid="" + if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then + setuid_or_setsgid=true + fi + if [ "$setuid_or_setsgid" = "" ]; then + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' fail closed rather + ## than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? + new_mode="744" + + local is_exact_whitelisted + is_exact_whitelisted="" + for white_list_entry in $exact_white_list ; do + if [ "$file_name" = "$white_list_entry" ]; then + is_exact_whitelisted="true" + ## Stop looping through the whitelist. + break + fi + done + + local is_match_whitelisted + is_match_whitelisted="" + for matchwhite_list_entry in $match_white_list ; do + if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then + is_match_whitelisted="true" + ## Stop looping through the match_white_list. + break + fi + done + + local is_disable_whitelisted + is_disable_whitelisted="" + for disablematch_list_entry in $disable_white_list ; do + if echo "$file_name" | grep -q "$disablematch_list_entry" ; then + is_disable_whitelisted="true" + ## Stop looping through the disablewhitelist. + break + fi + done + + if [ "$whitelists_disable_all" = "true" ]; then + true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + elif [ "$is_disable_whitelisted" = "true" ]; then + echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + else + if [ "$is_exact_whitelisted" = "true" ]; then + echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + continue + fi + if [ "$is_match_whitelisted" = "true" ]; then + echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" + continue + fi + fi + + echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" + fi + + ## No need to check "dpkg-statoverride --list" for existing entries. + ## If existing_mode was correct already, we would not have reached this point. + ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. + + ## Remove from real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name" + + ## Remove from separate database. + echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" + + ## Add to real database and use --update to make changes on disk. + echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" + + ## Not using --update as this is only for recording. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" + + ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) + + ## Sanity test. + if [ ! "$should_be_counter" = "$counter_actual" ]; then + echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" + echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" + exit_code=202 + echo "ERROR: counter does not check out." >&2 + fi +} + +set_file_perms() { + echo "INFO: START parsing config_file: '$config_file'" + local line + while read -r line; do + if [ "$line" = "" ]; then + continue + fi + + if [[ "$line" =~ ^# ]]; then + continue + fi + + if [[ "$line" =~ [0-9a-zA-Z/] ]]; then + true "OK line contains only white listed characters." + else + exit_code=200 + echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "$exit_code" + fi + + if [ "$line" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + echo "INFO: whitelists_disable_all=true - all whitelists disabled." + continue + fi + + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then + exit_code=201 + echo "ERROR: cannot parse. line: '$line'" >&2 + ## Debugging. + du -hs /tmp || true + echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "$exit_code" + fi + + local fso_without_trailing_slash + fso_without_trailing_slash="${fso%/}" + + if [ "$mode_from_config" = "disablewhitelist" ]; then + ## TODO: test/add white spaces inside file name support + disable_white_list+="$fso " + continue + fi + + if [ "$mode_from_config" = "exactwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + exact_white_list+="$fso " + continue + fi + + if [ "$mode_from_config" = "matchwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + match_white_list+="$fso " + continue + fi + + if [ ! -e "$fso" ]; then + echo "INFO: fso: '$fso' - does not exist. This is likely normal." + continue + fi + + ## Use dpkg-statoverride so permissions are not reset during upgrades. + + if [ "$mode_from_config" = "nosuid" ]; then + ## If mode_from_config is "nosuid" the config does not set owner and + ## group. Therefore do not enforce owner/group check. + + add_nosuid_statoverride_entry + else + local string_length_of_mode_from_config + string_length_of_mode_from_config="${#mode_from_config}" + if [ "$string_length_of_mode_from_config" -gt "4" ]; then + echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 + continue + fi + if [ "$string_length_of_mode_from_config" -lt "3" ]; then + echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 + continue + fi + + if ! getent passwd | grep -q "^${owner_from_config}:" ; then + echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 + continue + fi + + if ! getent group | grep -q "^${group_from_config}:" ; then + echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 + continue + fi + + local mode_for_grep + mode_for_grep="$mode_from_config" + first_character_of_mode_from_config="${mode_from_config::1}" + if [ "$first_character_of_mode_from_config" = "0" ]; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + + local stat_output + stat_output="" + if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then + echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 + continue + fi + + local arr file_name existing_mode existing_owner existing_group + arr=($stat_output) + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_group" = "" ]; then + echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + + ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. + local dpkg_statoverride_list_output="" + local dpkg_statoverride_list_exit_code=0 + dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; }; + + if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then + true "There is an fso entry. Check if owner/group/mode match." + local grep_line + grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" + if echo "$dpkg_statoverride_list_output" | grep -q "$grep_line" ; then + true "OK The owner/group/mode matches. No further action required." + else + true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." + ## fso_without_trailing_slash instead of fso to prevent + ## "dpkg-statoverride: warning: stripping trailing /" + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" + + ## Remove from and add to real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + fi + else + true "There is no fso entry. Therefore add one." + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + ## Add to real database. + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + fi + fi + if [ "$capability_from_config" = "" ]; then + continue + fi + + if [ "$capability_from_config" = "none" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 + # sudo setcap -r /bin/ping 2>/dev/null + # Failed to set capabilities on file `/bin/ping' (No data available) + # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file + ## Therefore use echo_wrapper_ignore. + echo_wrapper_ignore setcap -r "$fso" + getcap_output="$(getcap "$fso")" + if [ ! "$getcap_output" = "" ]; then + exit_code=205 + echo "ERROR: removing capabilities for fso '$fso' failed!" >&2 + continue + fi + else + if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then + echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" + fi + done < "$config_file" + echo "INFO: END parsing config_file: '$config_file'" +} + +parse_config_folder() { + shopt -s nullglob + for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do + set_file_perms + done +} + +sanity_tests +parse_config_folder + +if [ ! "$exit_code" = "0" ]; then + echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 +fi + +exit "$exit_code" diff --git a/usr/libexec/security-misc/permission-hardening-undo b/usr/libexec/security-misc/permission-hardening-undo new file mode 100755 index 0000000..365490f --- /dev/null +++ b/usr/libexec/security-misc/permission-hardening-undo @@ -0,0 +1,136 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +#set -x +set -e +set -o pipefail + +if [ "$1" = "all" ]; then + remove_file="all" +elif [ ! "$1" = "" ]; then + remove_file="$1" +else + echo "ERROR: need to give parameter 'all' or a filename. + +examples: + +$0 all + +$0 /usr/bin/newgrp + " >&2 +fi + +exit_code=0 + +dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" + +undo_permission_hardening() { + if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then + return 0 + fi + + local line + + while read -r line; do + ## example line: + ## root root 4755 /usr/lib/eject/dmcrypt-get-device + + local owner group mode file_name + if ! read -r owner group mode file_name <<< "$line" ; then + exit_code=201 + echo "ERROR: cannot parse line: $line" >&2 + continue + fi + true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" + + if [ "$remove_file" = "all" ]; then + do_proceed=true + verbose_maybe="" + else + if [ "$remove_file" = "$file_name" ]; then + do_proceed=true + verbose_maybe="--verbose" + remove_one=true + else + do_proceed=false + verbose_maybe="" + fi + fi + + if [ "$do_proceed" = "false" ]; then + continue + fi + + if [ "$remove_one" = "true" ]; then + set -x + fi + + if test -e "$file_name" ; then + chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + chmod $verbose_maybe "$mode" "$file_name" || exit_code=203 + else + echo "INFO: file_name: '$file_name' - does not exist. This is likely normal." + fi + + dpkg-statoverride --remove "$file_name" &>/dev/null || true + dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true + dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true + + if [ "$remove_one" = "true" ]; then + set +x + break + fi + + done < "/var/lib/permission-hardening/existing_mode/statoverride" +} + +undo_permission_hardening + +if [ ! "$remove_file" = "all" ]; then + if [ ! "$remove_one" = "true" ]; then + echo "INFO: none removed. + +File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. + +Note: This is expected if already done earlier. + +Note: This program expects the full path to the file. Example: + +$0 /usr/bin/newgrp + +The following syntax will not work: + +$0 program-name + +The following example will not work: + +$0 newgrp + +To remove all: + +$0 all + +This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener + +To view list of changed by SUID Disabler and Permission Hardener: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + +For re-enabling any specific SUID binary: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + +For completely disabling SUID Disabler and Permission Hardener: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi +fi + +if [ ! "$exit_code" = "0" ]; then + echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 +fi + +exit "$exit_code" diff --git a/usr/libexec/security-misc/permission-lockdown#security-misc-shared b/usr/libexec/security-misc/permission-lockdown similarity index 70% rename from usr/libexec/security-misc/permission-lockdown#security-misc-shared rename to usr/libexec/security-misc/permission-lockdown index 19fbe89..c1dbaaa 100755 --- a/usr/libexec/security-misc/permission-lockdown#security-misc-shared +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. @@ -25,7 +25,6 @@ # /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" # /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" # /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" -# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx" # /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" # /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" # /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" @@ -33,28 +32,35 @@ # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - mkdir --parents /var/cache/security-misc/state-files - local user - for user in $(dir /home); do ## lists directories only - if [ -f "/var/cache/security-misc/state-files/$user" ]; then + shopt -s nullglob + + ## Not using dotglob. + ## touch /var/cache/security-misc/state-files//home/.Trash + ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory + + local folder_name base_name + + for folder_name in /home/* ; do + base_name="$(basename "$folder_name")" + if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then continue fi - folder_name="/home/$user" - ## chmod: - ## The 'g' for 'group' is not needed. - ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf. - ## The group which the user is being added to has the same name as the user. - ## If the username is user then the name of the group is also user. - ## Some background information here: - ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux - ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command - ## required to run is sudo addgroup user1 user2. - ## See also: user private groups UPGs - ## https://wiki.debian.org/UserPrivateGroups + if [ ! -d "$folder_name" ]; then + continue + fi + if [ "$folder_name" = "/home/" ]; then + continue + fi + mkdir -p /var/cache/security-misc/state-files echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" - touch "/var/cache/security-misc/state-files/$user" + ## Create a state-file so we do this only once. + ## Therefore a user who will manually undo this, will not get + ## annoyed by this being done over and over again. + touch "/var/cache/security-misc/state-files/$base_name" done + + shopt -u nullglob } home_folder_access_rights_lockdown diff --git a/usr/libexec/security-misc/placeholder#security-misc-server b/usr/libexec/security-misc/placeholder#security-misc-server deleted file mode 100755 index e8e373e..0000000 --- a/usr/libexec/security-misc/placeholder#security-misc-server +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -x -set -e -echo "$0: This is just a placeholder until security-misc-server gets implemented." -exit 0 diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure new file mode 100755 index 0000000..ae41e79 --- /dev/null +++ b/usr/libexec/security-misc/remount-secure @@ -0,0 +1,130 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## noexec in /tmp and/or /home can break some malware but also legitimate +## applications. + +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +set -x +set -e + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + ## pre.bsh would `source` the following folders: + ## /etc/remount-secure_pre.d/*.conf + ## /usr/local/etc/remount-secure_pre.d/*.conf + source /usr/libexec/helper-scripts/pre.bsh +fi + +if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then + echo "INFO: file /etc/remount-disable exists. Doing nothing." + exit 0 +fi + +if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then + noexec=false + echo "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." +else + if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then + noexec=true + echo "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." + else + echo "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." + fi +fi + +mkdir --parents "/var/run/remount-secure" + +if [ "$noexec" = "true" ]; then + noexec_maybe=",noexec" +fi + +exit_code=0 + +mount_output="$(mount)" + +remount_secure() { + ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function + ## which called this function. + status_file_name="${FUNCNAME[1]}" + ## example status_file_name: + ## _home + status_file_full_path="/var/run/remount-secure/${status_file_name}" + ## example status_file_full_path: + ## /var/run/remount-secure/_home + + ## LANG=C str_replace is provided by package helper-scripts. + mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" + ## example mount_folder: + ## /home + + mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true + + if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then + echo "INFO: $mount_folder has already intended mount options." + return 0 + fi + + if [ -e "$status_file_full_path" ]; then + echo "INFO: $mount_folder already remounted earlier. Not remounting again." + return 0 + fi + + ## BUG: echo: write error: Broken pipe + if echo "$mount_output" | grep -q "$mount_folder " ; then + ## Already mounted. Using remount. + echo mount -o "remount,${new_mount_options}" "$mount_folder" + mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 + else + ## Not yet mounted. Using mount bind. + echo mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + fi + + touch "$status_file_full_path" +} + +_home() { + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_run() { + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_dev_shm() { + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_tmp() { + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 +# _lib() { +# ## Not using noexec on /lib. +# new_mount_options="nosuid,nodev" +# remount_secure "$@" +# } + +end() { + exit $exit_code +} + +main() { + _home "$@" + _run "$@" + _dev_shm "$@" + _tmp "$@" + #_lib "$@" + end "$@" +} + +main "$@" diff --git a/usr/libexec/security-misc/remove-system.map#security-misc-shared b/usr/libexec/security-misc/remove-system.map similarity index 59% rename from usr/libexec/security-misc/remove-system.map#security-misc-shared rename to usr/libexec/security-misc/remove-system.map index 5b75f6d..ea33c8b 100755 --- a/usr/libexec/security-misc/remove-system.map#security-misc-shared +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then @@ -20,23 +20,18 @@ for filename in ${system_map_location} ; do done if [ "$counter" -ge "1" ]; then - echo "INFO: Deleting system.map files..." + echo "Deleting system.map files..." fi ## Removes the System.map files as they are only used for debugging or malware. for filename in ${system_map_location} ; do if [ -f "${filename}" ]; then - if [ -w "${filename}" ]; then - ## 'shred' with '--verbose' is too chatty. (7 lines) - shred --force --zero -u "${filename}" - echo "INFO: removed '${filename}'" - else - echo "NOTE: Cannot delete '${filename}' - read-only. For details, see: https://www.kicksecure.com/wiki/security-misc#system_map" - exit 0 - fi + ## 'shred' with '--verbose' is too chatty. (7 lines) + shred --force --zero -u "${filename}" + echo "removed '${filename}'" fi done if [ "$counter" -ge "1" ]; then - echo "INFO: Done. Success." + echo "Done. Success." fi diff --git a/usr/libexec/security-misc/virusforget#security-misc-shared b/usr/libexec/security-misc/virusforget similarity index 98% rename from usr/libexec/security-misc/virusforget#security-misc-shared rename to usr/libexec/security-misc/virusforget index 9b02de8..ea010b8 100755 --- a/usr/libexec/security-misc/virusforget#security-misc-shared +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. @@ -29,7 +29,7 @@ root_check() { parse_cmd_options() { ## Thanks to: - ## https://mywiki.wooledge.org/BashFAQ/035 + ## http://mywiki.wooledge.org/BashFAQ/035 while : do @@ -270,7 +270,7 @@ unexpected_file() { elif [ "$clean" = "true" ]; then echo "unexpected symlink. Removing... unlink '$full_path_original'" >&2 unlink "$full_path_original" - echo "Removed unexpected symlink." >&2 + echo "Removed unexpect symlink." >&2 fi else if [ "$test_mode" = "true" ]; then diff --git a/usr/share/doc/security-misc/fstab-vm#security-misc-shared b/usr/share/doc/security-misc/fstab-vm#security-misc-shared deleted file mode 100644 index e02a087..0000000 --- a/usr/share/doc/security-misc/fstab-vm#security-misc-shared +++ /dev/null @@ -1,40 +0,0 @@ -# - -/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto nofail,defaults,errors=remount-ro 0 1 - -proc /proc proc nofail,defaults 0 0 - -/dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 -#udev /dev devtmpfs defaults,nosuid,noexec 0 0 - -## noexec optional -/dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 -#tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 - -## nodev,nosuid,noexec as per: -## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html -## Commented out by default to prevent warning: -## mount: /mnt/cdrom: mount point does not exist. -#/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 - -/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 -#tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 - -/var /var none nofail,bind,nosuid,nodev 0 0 - -## noexec optional -/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 - -/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/run /run none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/home /home none nofail,bind,nosuid,nodev,noexec 0 0 - -## TODO: -#/sys diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override new file mode 100644 index 0000000..2ee9098 --- /dev/null +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -0,0 +1,2 @@ +[org.gnome.nautilus.preferences] +show-image-thumbnails="never" diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared deleted file mode 100644 index 2f56805..0000000 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[org.gnome.nautilus.preferences] -show-image-thumbnails="never" diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc new file mode 100644 index 0000000..ecc709d --- /dev/null +++ b/usr/share/lintian/overrides/security-misc @@ -0,0 +1,11 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## The whole point of the package. +security-misc: package-contains-file-in-etc-skel etc/skel/* + +## Wrapper script. +security-misc: no-manual-page usr/bin/pkexec.security-misc + +## Non-ideal but still a good solution. +security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder diff --git a/usr/share/lintian/overrides/security-misc-shared#security-misc-shared b/usr/share/lintian/overrides/security-misc-shared#security-misc-shared deleted file mode 100644 index 1dad42d..0000000 --- a/usr/share/lintian/overrides/security-misc-shared#security-misc-shared +++ /dev/null @@ -1,23 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## The whole point of the package. -security-misc-shared: package-contains-file-in-etc-skel [etc/skel/*] - -## Wrapper script. -security-misc-shared: no-manual-page [usr/bin/pkexec.security-misc] - -## Non-ideal but still a good solution. -security-misc-shared: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] - -## False-positive. Just a comment mentioning dpkg's folder. -security-misc-shared: uses-dpkg-database-directly [usr/bin/remount-secure] - -## Special target to make sure this runs as non-parallelized as possible to avoid race conditions. -security-misc-shared: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service] - -## False-positive. Unit is commented out by default. -security-misc-shared: systemd-service-file-missing-install-key [usr/lib/systemd/system/block-shutdown.service] - -## Minor bug: Unknown. -security-misc-shared: package-contains-empty-directory [usr/share/security-misc-shared/] diff --git a/usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared b/usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared deleted file mode 100644 index eec6702..0000000 --- a/usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared +++ /dev/null @@ -1,6 +0,0 @@ -Name: block unsafe passwordless login (by package security-misc-shared) -Default: yes -Priority: 1100 -Auth-Type: Primary -Auth: - requisite pam_exec.so seteuid stdout /usr/libexec/security-misc/block-unsafe-logins diff --git a/usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared b/usr/share/pam-configs/console-lockdown-security-misc similarity index 92% rename from usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared rename to usr/share/pam-configs/console-lockdown-security-misc index 45e5c41..df57a85 100644 --- a/usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared +++ b/usr/share/pam-configs/console-lockdown-security-misc @@ -1,4 +1,4 @@ -Name: allow only members of group console to use login (by package security-misc-shared) +Name: allow only members of group console to use login (by package security-misc) Default: no Priority: 280 Account-Type: Primary diff --git a/usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared b/usr/share/pam-configs/faillock-security-misc similarity index 60% rename from usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared rename to usr/share/pam-configs/faillock-security-misc index 9d74cb8..d337690 100644 --- a/usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared +++ b/usr/share/pam-configs/faillock-security-misc @@ -1,8 +1,11 @@ -Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc-shared) +Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc) Default: yes -Priority: 1024 +Priority: 290 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x required pam_faillock.so preauth +Account-Type: Primary +Account: + requisite pam_faillock.so diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc new file mode 100644 index 0000000..7bc5fb7 --- /dev/null +++ b/usr/share/pam-configs/faillock2-security-misc @@ -0,0 +1,8 @@ +Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc) +Default: yes +Priority: 245 +Auth-Type: Primary +Auth: + [success=2 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + sufficient pam_faillock.so authsucc diff --git a/usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared b/usr/share/pam-configs/mkhomedir-security-misc similarity index 64% rename from usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared rename to usr/share/pam-configs/mkhomedir-security-misc index 03b11e4..326013c 100644 --- a/usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -1,4 +1,4 @@ -Name: Create home directory on login (by package security-misc-shared) +Name: Create home directory on login (by package security-misc) Default: yes Priority: 100 Session-Type: Additional diff --git a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc similarity index 70% rename from usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared rename to usr/share/pam-configs/pam-abort-on-locked-password-security-misc index 02cd2a3..4d2ffa2 100644 --- a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared +++ b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc @@ -1,4 +1,4 @@ -Name: abort on locked password (by package security-misc-shared) +Name: abort on locked password (by package security-misc) Default: yes Priority: 300 Auth-Type: Primary diff --git a/usr/share/pam-configs/umask-security-misc#security-misc-shared b/usr/share/pam-configs/umask-security-misc#security-misc-shared deleted file mode 100644 index 3b34c25..0000000 --- a/usr/share/pam-configs/umask-security-misc#security-misc-shared +++ /dev/null @@ -1,9 +0,0 @@ -Name: Restrict umask to 027 for non-root users (by package security-misc-shared) -Default: yes -Priority: 100 -Session-Type: Additional -Session: - [success=1 default=ignore] pam_succeed_if.so uid eq 0 - optional pam_umask.so umask=027 - [success=1 default=ignore] pam_succeed_if.so uid ne 0 - optional pam_umask.so umask=022 diff --git a/usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared b/usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared deleted file mode 100644 index b1328b5..0000000 --- a/usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared +++ /dev/null @@ -1,20 +0,0 @@ -Name: Unix authentication with faillock (by package security-misc-shared) -Default: yes -Priority: 384 -Auth-Type: Primary -Auth: - [success=3 default=ignore] pam_unix.so nullok try_first_pass - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - requisite pam_deny.so - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - optional pam_faillock.so authsucc - required pam_permit.so -Auth-Initial: - [success=3 default=ignore] pam_unix.so nullok - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - requisite pam_deny.so - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - optional pam_faillock.so authsucc - required pam_permit.so diff --git a/usr/share/pam-configs/wheel-security-misc#security-misc-shared b/usr/share/pam-configs/wheel-security-misc similarity index 52% rename from usr/share/pam-configs/wheel-security-misc#security-misc-shared rename to usr/share/pam-configs/wheel-security-misc index 599d5bc..323ff72 100644 --- a/usr/share/pam-configs/wheel-security-misc#security-misc-shared +++ b/usr/share/pam-configs/wheel-security-misc @@ -1,7 +1,6 @@ -Name: group sudo membership required to use su (by package security-misc-shared) +Name: group sudo membership required to use su (by package security-misc) Default: yes -Priority: 1050 +Priority: 280 Auth-Type: Primary Auth: - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su requisite pam_wheel.so group=sudo debug diff --git a/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared b/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared deleted file mode 100644 index 176b14e..0000000 --- a/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared +++ /dev/null @@ -1,335 +0,0 @@ - - - - - The Flatpak Project - https://github.com/flatpak/flatpak - package-x-generic - - - Install signed application - Authentication is required to install software - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - org.freedesktop.Flatpak.app-update org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update - - - - Install signed runtime - Authentication is required to install software - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - org.freedesktop.Flatpak.runtime-update - - - - Update signed application - Authentication is required to update software - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update - - - - Update signed runtime - Authentication is required to update software - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Update remote metadata - Authentication is required to update remote info - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Update system repository - Authentication is required to modify a system repository - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Install bundle - Authentication is required to install software from $(path) - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update - - - - Uninstall runtime - Authentication is required to uninstall software - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Uninstall app - Authentication is required to uninstall $(ref) - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - org.freedesktop.Flatpak.runtime-uninstall - - - - Configure Remote - Authentication is required to configure software repositories - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Configure - Authentication is required to configure software installation - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Update appstream - Authentication is required to update information about software - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Update metadata - Authentication is required to update metadata - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - - - Override parental controls for installs - Authentication is required to install software which is restricted by your parental controls policy - package-x-generic - - auth_admin - auth_admin - auth_admin - - org.freedesktop.Flatpak.override-parental-controls-update - - - - Override parental controls for updates - Authentication is required to update software which is restricted by your parental controls policy - package-x-generic - - auth_admin - auth_admin - auth_admin_keep - - - diff --git a/usr/share/security-misc/dolphinrc#security-misc-shared b/usr/share/security-misc/dolphinrc similarity index 50% rename from usr/share/security-misc/dolphinrc#security-misc-shared rename to usr/share/security-misc/dolphinrc index 9028487..28bdc11 100644 --- a/usr/share/security-misc/dolphinrc#security-misc-shared +++ b/usr/share/security-misc/dolphinrc @@ -1,5 +1,6 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] Plugins= + diff --git a/usr/share/security-misc/emerg-shutdown-initramfs.service#security-misc-shared b/usr/share/security-misc/emerg-shutdown-initramfs.service#security-misc-shared deleted file mode 100644 index 8de5412..0000000 --- a/usr/share/security-misc/emerg-shutdown-initramfs.service#security-misc-shared +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This file should not be installed on the host system, it is intended for -## inclusion in a dracut initramfs only. - -[Unit] -Description=Emergency shutdown when boot media is removed -Documentation=https://github.com/Kicksecure/security-misc -DefaultDependencies=no -Before=sysinit.target -Requires=systemd-udevd.service -After=systemd-udevd.service - -[Service] -Type=notify -ExecStart=/usr/libexec/security-misc/emerg-shutdown -NotifyAccess=main - -[Install] -WantedBy=sysinit.target diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf similarity index 83% rename from usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared rename to usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index 87de7e0..ca327fc 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration @@ -13,9 +13,9 @@ ## /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ## to: ## /etc/sysctl.d/30-lkrg-virtualbox.conf -## by package security-misc-shared, files: +## by package security-misc, files: ## /usr/share/security-misc/lkrg/lkrg-virtualbox -## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf +## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 @@ -24,7 +24,7 @@ ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service ## /etc/sysctl.d/30-lkrg-dkms.conf -## /usr/lib/systemd/system/lkrg.service +## /lib/systemd/system/lkrg.service ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 lkrg.pcfi_validate = 1 diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared b/usr/share/security-misc/lkrg/lkrg-virtualbox similarity index 59% rename from usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared rename to usr/share/security-misc/lkrg/lkrg-virtualbox index 8b7d15e..30a114a 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,16 +1,13 @@ #!/bin/bash -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -#set -x +set -x set -e -## Check if the VirtualBox host software is installed. if ! command -v vboxmanage &>/dev/null ; then - ## VirtualBox host software is not installed. if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then - ## Delete using '--verbose' so user is notified. rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf fi exit 0 @@ -24,9 +21,4 @@ if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then exit 0 fi -if ! package-installed-check "lkrg" ; then - exit 0 -fi - -## Delete using '--verbose' so user is notified. cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded#security-misc-shared b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded#security-misc-shared deleted file mode 100644 index d40c552..0000000 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded#security-misc-shared +++ /dev/null @@ -1,36 +0,0 @@ -root root 644 /etc/passwd- -root root 755 /etc/cron.monthly -root root 755 /etc/sudoers.d -root shadow 2755 /usr/bin/expiry -root root 4755 /usr/bin/umount -root root 4755 /usr/bin/gpasswd -root root 755 /usr/lib/modules -root root 644 /etc/issue.net -root root 644 /etc/group- -root root 4755 /usr/bin/newgrp -root root 755 /etc/cron.weekly -root root 644 /etc/hosts.deny -root root 4755 /usr/bin/su -root root 644 /etc/hosts.allow -root root 700 /root -root root 755 /etc/cron.daily -root root 755 /bin/ping -root root 777 /etc/motd.kicksecure -root root 777 /etc/motd.whonix -root root 755 /boot -root root 755 /home -root shadow 2755 /usr/bin/chage -root root 4755 /usr/bin/chsh -root root 4755 /usr/bin/passwd -root root 4755 /usr/bin/chfn -root root 644 /etc/group -root root 755 /etc/permission-hardener.d -root root 644 /etc/passwd -root root 755 /usr/src -root root 4755 /usr/bin/mount -root root 777 /etc/issue.kicksecure -root root 777 /etc/issue.whonix -root root 755 /etc/cron.d -root root 4755 /usr/bin/sudo -root root 4755 /usr/bin/pkexec -root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded#security-misc-shared b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded#security-misc-shared deleted file mode 100644 index d1b3a80..0000000 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded#security-misc-shared +++ /dev/null @@ -1,26 +0,0 @@ -root root 700 /etc/cron.monthly -root root 700 /etc/sudoers.d -root shadow 744 /usr/bin/expiry -root root 755 /usr/bin/umount -root root 744 /usr/bin/gpasswd -root root 700 /usr/lib/modules -root root 744 /usr/bin/newgrp -root root 700 /etc/cron.weekly -root root 744 /usr/bin/su -root root 700 /etc/cron.daily -root root 755 /bin/ping -root root 644 /etc/motd.kicksecure -root root 644 /etc/motd.whonix -root _ssh 744 /usr/bin/ssh-agent -root root 700 /boot -root shadow 744 /usr/bin/chage -root root 744 /usr/lib/openssh/ssh-keysign -root root 744 /usr/bin/chsh -root root 755 /usr/bin/passwd -root root 744 /usr/bin/chfn -root root 600 /etc/permission-hardener.d -root root 700 /usr/src -root root 755 /usr/bin/mount -root root 644 /etc/issue.kicksecure -root root 644 /etc/issue.whonix -root root 700 /etc/cron.d diff --git a/usr/share/security-misc/security-misc-memlockd.cfg#security-misc-shared b/usr/share/security-misc/security-misc-memlockd.cfg#security-misc-shared deleted file mode 100644 index 12439b3..0000000 --- a/usr/share/security-misc/security-misc-memlockd.cfg#security-misc-shared +++ /dev/null @@ -1,2 +0,0 @@ -# Lock systemd and all of its library dependencies into memory -+/usr/lib/systemd/systemd diff --git a/usr/src/security-misc/emerg-shutdown.c#security-misc-shared b/usr/src/security-misc/emerg-shutdown.c#security-misc-shared deleted file mode 100644 index e1ef981..0000000 --- a/usr/src/security-misc/emerg-shutdown.c#security-misc-shared +++ /dev/null @@ -1,1076 +0,0 @@ -/* - * Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC - * See the file COPYING for copying conditions. - */ - -/* - * This program is designed specifically to immediately and forcibly power off - * the system in the event the device providing the root filesystem is - * abruptly removed from the system. The idea is that a user can shut down - * a portable installation of Kicksecure by simply yanking the USB drive - * containing the installation from the computer. Tails provides essentially - * the same feature, however it is known for occasionally failing to do its - * job properly. - * - * The fact that we're triggering a shutdown when the device containing the - * root filesystem vanishes presents a number of significant challenges: - * - * - The device providing the entire operating system is gone. The only things - * we will still have left are the kernel, files loaded into RAM (for - * instance under /run), and anything that happens to still be in the - * system's disk cache. - * - Virtually any process on the system may abruptly crash at any time. This - * isn't just because applications may be unable to access files. The Linux - * kernel's virtual memory subsystem doesn't just page out RAM contents to a - * swap file, it will sometimes simply erase pages containing executable - * code from memory if it can reload that code from disk later when needed. - * If part of a program isn't present in memory, and then the root device - * vanishes, any attempt to use code in the absent part of the application - * will result in the application crashing. (Attempts to access data in RAM - * that happened to be paged out will result in a similar crash.) - * - We have no control over what is and isn't in the disk cache, which makes - * it unsafe to launch any dynamically linked executable. What happens if we - * need to load a missing part of libc? What if the dynamic linker itself - * needs loaded from disk? - * - Systemd could lock up at any time, since the init process isn't immune to - * having bits of it erased from RAM to free up memory. If systemd receives - * a SIGSEGV, rather than crashing (which would panic the kernel), it goes - * into an "emergency mode" that tries to keep the system as operational as - * possible even though PID 1 is now out of service. - * - * Circumventing this set of difficulties is not easy, and it might not even - * be entirely possible. To give our feature the highest chance of success: - * - * - We use memlockd to lock systemd and all libraries it depends on into - * memory. It can hold its own pretty well in the event of a segfault, but - * if its crash handler ends up re-segfaulting, that could get ugly. - * - We compile the utility at boot time, statically link it against all of - * its dependencies (really only one, glibc), and load it into /run. This - * allows for decent architecture independence while removing any dependency - * on anything that isn't in RAM, thus (hopefully!) making the process - * crash-immune. - * - Because we're static-linking against glibc, we cannot call anything - * defined in stdio.h. This is because glibc uses dlopen() to load iconv - * modules, which are used internally by glibc for locale support. Things - * defined in stdio.h may use iconv, so calling anything there will - * basically make our static-linked executable become dynamically linked, - * which could segfault it since the root filesystem is gone. We can't call - * anything that could touch Name Service Switch (NSS) either, but we have - * no need to do so, so we should be safe there. See - * https://stackoverflow.com/questions/57476533/why-is-statically-linking-glibc-discouraged - * - We can't use udev either because libudev is only available as a dynamic - * library. That means we have to listen to kernel uevents directly to - * determine when the root device vanishes. Thankfully this isn't as much of - * a pain as it might sound like. - * - We don't call out to any external process, since those external processes - * could segfault. - * - * This is likely superior to Tails' implementation, which uses udev (and thus - * dynamic linking), uses an interpreter-driven script to shut down the system - * when the root device vanishes, and calls out to external executables to - * actually shut the system down. These issues are likely why Tails' - * implementation of emergency shutdown occasionally fails. See - * https://www.reddit.com/r/tails/comments/xh8njn/tails_wont_shutdown_when_i_pull_usb_stick/ - * (there are other similar posts as well). - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -//#define fd_stdin 0 -//#define fd_stdout 1 -#define fd_stderr 2 - -#define max_inputs 255 -#define input_path_size 20 -#define key_flags_len 12 - -#define hw_monitor_val 1 -#define fifo_monitor_val 2 - -#define max_sig_num 31 - -int console_fd = 0; - -/* Adapted from kloak/src/keycodes.c */ -struct name_value { - const char *name; - const uint32_t value; -}; -static struct name_value key_table[] = { - {"KEY_ESC", KEY_ESC}, - {"KEY_1", KEY_1}, - {"KEY_2", KEY_2}, - {"KEY_3", KEY_3}, - {"KEY_4", KEY_4}, - {"KEY_5", KEY_5}, - {"KEY_6", KEY_6}, - {"KEY_7", KEY_7}, - {"KEY_8", KEY_8}, - {"KEY_9", KEY_9}, - {"KEY_0", KEY_0}, - {"KEY_MINUS", KEY_MINUS}, - {"KEY_EQUAL", KEY_EQUAL}, - {"KEY_BACKSPACE", KEY_BACKSPACE}, - {"KEY_TAB", KEY_TAB}, - {"KEY_Q", KEY_Q}, - {"KEY_W", KEY_W}, - {"KEY_E", KEY_E}, - {"KEY_R", KEY_R}, - {"KEY_T", KEY_T}, - {"KEY_Y", KEY_Y}, - {"KEY_U", KEY_U}, - {"KEY_I", KEY_I}, - {"KEY_O", KEY_O}, - {"KEY_P", KEY_P}, - {"KEY_LEFTBRACE", KEY_LEFTBRACE}, - {"KEY_RIGHTBRACE", KEY_RIGHTBRACE}, - {"KEY_ENTER", KEY_ENTER}, - {"KEY_LEFTCTRL", KEY_LEFTCTRL}, - {"KEY_A", KEY_A}, - {"KEY_S", KEY_S}, - {"KEY_D", KEY_D}, - {"KEY_F", KEY_F}, - {"KEY_G", KEY_G}, - {"KEY_H", KEY_H}, - {"KEY_J", KEY_J}, - {"KEY_K", KEY_K}, - {"KEY_L", KEY_L}, - {"KEY_SEMICOLON", KEY_SEMICOLON}, - {"KEY_APOSTROPHE", KEY_APOSTROPHE}, - {"KEY_GRAVE", KEY_GRAVE}, - {"KEY_LEFTSHIFT", KEY_LEFTSHIFT}, - {"KEY_BACKSLASH", KEY_BACKSLASH}, - {"KEY_Z", KEY_Z}, - {"KEY_X", KEY_X}, - {"KEY_C", KEY_C}, - {"KEY_V", KEY_V}, - {"KEY_B", KEY_B}, - {"KEY_N", KEY_N}, - {"KEY_M", KEY_M}, - {"KEY_COMMA", KEY_COMMA}, - {"KEY_DOT", KEY_DOT}, - {"KEY_SLASH", KEY_SLASH}, - {"KEY_RIGHTSHIFT", KEY_RIGHTSHIFT}, - {"KEY_KPASTERISK", KEY_KPASTERISK}, - {"KEY_LEFTALT", KEY_LEFTALT}, - {"KEY_SPACE", KEY_SPACE}, - {"KEY_CAPSLOCK", KEY_CAPSLOCK}, - {"KEY_F1", KEY_F1}, - {"KEY_F2", KEY_F2}, - {"KEY_F3", KEY_F3}, - {"KEY_F4", KEY_F4}, - {"KEY_F5", KEY_F5}, - {"KEY_F6", KEY_F6}, - {"KEY_F7", KEY_F7}, - {"KEY_F8", KEY_F8}, - {"KEY_F9", KEY_F9}, - {"KEY_F10", KEY_F10}, - {"KEY_NUMLOCK", KEY_NUMLOCK}, - {"KEY_SCROLLLOCK", KEY_SCROLLLOCK}, - {"KEY_KP7", KEY_KP7}, - {"KEY_KP8", KEY_KP8}, - {"KEY_KP9", KEY_KP9}, - {"KEY_KPMINUS", KEY_KPMINUS}, - {"KEY_KP4", KEY_KP4}, - {"KEY_KP5", KEY_KP5}, - {"KEY_KP6", KEY_KP6}, - {"KEY_KPPLUS", KEY_KPPLUS}, - {"KEY_KP1", KEY_KP1}, - {"KEY_KP2", KEY_KP2}, - {"KEY_KP3", KEY_KP3}, - {"KEY_KP0", KEY_KP0}, - {"KEY_KPDOT", KEY_KPDOT}, - {"KEY_ZENKAKUHANKAKU", KEY_ZENKAKUHANKAKU}, - {"KEY_102ND", KEY_102ND}, - {"KEY_F11", KEY_F11}, - {"KEY_F12", KEY_F12}, - {"KEY_RO", KEY_RO}, - {"KEY_KATAKANA", KEY_KATAKANA}, - {"KEY_HIRAGANA", KEY_HIRAGANA}, - {"KEY_HENKAN", KEY_HENKAN}, - {"KEY_KATAKANAHIRAGANA", KEY_KATAKANAHIRAGANA}, - {"KEY_MUHENKAN", KEY_MUHENKAN}, - {"KEY_KPJPCOMMA", KEY_KPJPCOMMA}, - {"KEY_KPENTER", KEY_KPENTER}, - {"KEY_RIGHTCTRL", KEY_RIGHTCTRL}, - {"KEY_KPSLASH", KEY_KPSLASH}, - {"KEY_SYSRQ", KEY_SYSRQ}, - {"KEY_RIGHTALT", KEY_RIGHTALT}, - {"KEY_LINEFEED", KEY_LINEFEED}, - {"KEY_HOME", KEY_HOME}, - {"KEY_UP", KEY_UP}, - {"KEY_PAGEUP", KEY_PAGEUP}, - {"KEY_LEFT", KEY_LEFT}, - {"KEY_RIGHT", KEY_RIGHT}, - {"KEY_END", KEY_END}, - {"KEY_DOWN", KEY_DOWN}, - {"KEY_PAGEDOWN", KEY_PAGEDOWN}, - {"KEY_INSERT", KEY_INSERT}, - {"KEY_DELETE", KEY_DELETE}, - {"KEY_MACRO", KEY_MACRO}, - {"KEY_MUTE", KEY_MUTE}, - {"KEY_VOLUMEDOWN", KEY_VOLUMEDOWN}, - {"KEY_VOLUMEUP", KEY_VOLUMEUP}, - {"KEY_POWER", KEY_POWER}, - {"KEY_POWER2", KEY_POWER2}, - {"KEY_KPEQUAL", KEY_KPEQUAL}, - {"KEY_KPPLUSMINUS", KEY_KPPLUSMINUS}, - {"KEY_PAUSE", KEY_PAUSE}, - {"KEY_SCALE", KEY_SCALE}, - {"KEY_KPCOMMA", KEY_KPCOMMA}, - {"KEY_HANGEUL", KEY_HANGEUL}, - {"KEY_HANGUEL", KEY_HANGUEL}, - {"KEY_HANJA", KEY_HANJA}, - {"KEY_YEN", KEY_YEN}, - {"KEY_LEFTMETA", KEY_LEFTMETA}, - {"KEY_RIGHTMETA", KEY_RIGHTMETA}, - {"KEY_COMPOSE", KEY_COMPOSE}, - {"KEY_F13", KEY_F13}, - {"KEY_F14", KEY_F14}, - {"KEY_F15", KEY_F15}, - {"KEY_F16", KEY_F16}, - {"KEY_F17", KEY_F17}, - {"KEY_F18", KEY_F18}, - {"KEY_F19", KEY_F19}, - {"KEY_F20", KEY_F20}, - {"KEY_F21", KEY_F21}, - {"KEY_F22", KEY_F22}, - {"KEY_F23", KEY_F23}, - {"KEY_F24", KEY_F24}, - {"KEY_UNKNOWN", KEY_UNKNOWN}, - {NULL, 0} -}; -uint32_t lookup_keycode(const char *name) { - struct name_value *p; - for (p = key_table; p->name != NULL; ++p) { - if (strcmp(p->name, name) == 0) { - return p->value; - } - } - return 0; -} - -/* Adapted from systemd/src/login/logind-button.c */ -bool bitset_get(const uint64_t *bits, uint32_t i) { - return (bits[i / 64] >> (i % 64)) & 1UL; -} - -void print(int fd, const char *str) { - size_t len = strlen(str) + 1; - while (true) { - ssize_t write_len = write(fd, str, len); - if (write_len < 0) { - /* File descriptor was closed, continue regardless */ - return; - } - len -= (size_t)write_len; - if (len == 0) { - return; - } - str += write_len; - } -} - -void print_usage(void) { - print(fd_stderr, "Usage:\n"); - print(fd_stderr, " emerg-shutdown [OPTIONS...]\n"); - print(fd_stderr, "Options:\n"); - print(fd_stderr, " --devices=DEVICE1[,DEVICE2...]\n"); - print(fd_stderr, " A comma-separated list of devices. If any of these devices are\n"); - print(fd_stderr, " removed from the system, an emergency shutdown will occur.\n"); - print(fd_stderr, " --keys=KEY_1[,KEY_2|KEY_3...]\n"); - print(fd_stderr, " A comma-separated list of keys. If all of the specified keys are\n"); - print(fd_stderr, " pressed at the same time, an emergency shutdown will occur.\n"); - print(fd_stderr, " Keys separated with a pipe will be treated as aliases of each\n"); - print(fd_stderr, " other.\n"); - print(fd_stderr, " --paranoid\n"); - print(fd_stderr, " Watches for the removal of any removable device whatsoever. An\n"); - print(fd_stderr, " emergency shutdown will be triggered if any device is removed.\n"); - print(fd_stderr, " Cannot be combined with --devices.\n"); - print(fd_stderr, " --instant-shutdown\n"); - print(fd_stderr, " Immediately triggers an emergency shutdown. Cannot be combined\n"); - print(fd_stderr, " with other options.\n"); - print(fd_stderr, " --monitor-fifo\n"); - print(fd_stderr, " Used internally to implement the ensure-shutdown service. Do\n"); - print(fd_stderr, " not use.\n"); - print(fd_stderr, " --timeout=TIMEOUT\n"); - print(fd_stderr, " Used internally to implement the ensure-shutdown service. Do\n"); - print(fd_stderr, " not use.\n"); - print(fd_stderr, "Example:\n"); - print(fd_stderr, " emerg-shutdown --devices=/dev/sda3 --keys=KEY_POWER\n"); - print(fd_stderr, "See /etc/security-misc/emerg-shutdown/30_security-misc.conf to\n"); - print(fd_stderr, "configure the emerg-shutdown service.\n"); -} - -void *safe_calloc(size_t nmemb, size_t size) { - void *ret_buf = calloc(nmemb, size); - if (ret_buf == NULL) { - print(fd_stderr, "Out of memory!\n"); - exit(1); - } - return ret_buf; -} - -void *safe_reallocarray(void *ptr, size_t nmemb, size_t size) { - void *ret_buf = reallocarray(ptr, nmemb, size); - if (ret_buf == NULL) { - print(fd_stderr, "Out of memory!\n"); - exit(1); - } - return ret_buf; -} - -/* Inspired by https://www.strudel.org.uk/itoa/ */ -char *int_to_str(uint32_t val) { - static char buf[11]; - int8_t i; - char *rslt = NULL; - const char *digits = "0123456789"; - - buf[10] = '\0'; - - for (i = 9; i >= 0; i--) { - buf[i] = digits[val % 10]; - val /= 10; - if (val == 0) { - break; - } - } - assert(i >= 0); - - rslt = safe_calloc(1, 11 - (uint8_t)(i)); - memcpy(rslt, buf + i, 11 - (uint8_t)(i)); - return rslt; -} - -void load_list(const char *arg, size_t *result_list_len_ref, char ***result_list_ref, const char *sep, bool parse_opt) { - char **result_list = NULL; - size_t result_list_len = 0; - size_t arg_copy_len = strlen(arg) + 1; - char *arg_copy = safe_calloc(1, arg_copy_len); - char *arg_val; - char *arg_part; - - memcpy(arg_copy, arg, arg_copy_len); - if (parse_opt) { - /* returns "--whatever" */ - arg_val = strtok(arg_copy, "="); - /* returns everything after the = sign */ - arg_val = strtok(NULL, ""); - } else { - arg_val = arg_copy; - } - - arg_part = strtok(arg_val, sep); - if (arg_part == NULL) { - return; - } - - do { - result_list_len++; - result_list = safe_reallocarray(result_list, result_list_len, sizeof(char *)); - result_list[result_list_len - 1] = safe_calloc(1, strlen(arg_part) + 1); - strcpy(result_list[result_list_len - 1], arg_part); - } while ((arg_part = strtok(NULL, ",")) != NULL); - - *result_list_len_ref = result_list_len; - *result_list_ref = result_list; - free(arg_copy); -} - -long int kill_system(void) { - /* - * It isn't safe to simply call the reboot syscall here - there is a - * graphics driver bug in the i915 driver on Bookworm that will throw a - * kernel warning during shutdown. Kicksecure sets panic_on_oops and - * panic_on_warn to 1 during bootup, which means this bug will cause a - * kernel panic and thus hang the system rather than shutting down. - * - * To mitigate this, we do two things: - * - * - We disable the panic_on_oops and panic_on_warn kernel settings before - * calling the reboot syscall. This way if a warn or oops does occur, at - * least it isn't as likely to block shutdown. - * - We switch virtual terminals before initiating the shutdown. This should - * hopefully keep whatever is going wrong from going wrong in the first - * place. - * - * This is probably a good idea for any system, because switching TTYs is a - * rather basic operation that is likely to work, while forcibly shutting - * down while X11 or Wayland still has control of the display is probably - * not as well tested (if it's been tested at all). - * - * Above all else though, we want to at least *try* to shutdown. Even if all - * our attempts to switch VTs fail and /proc isn't available for us to tweak - * kernel settings, we still need to try. Therefore we absolutely do not - * crash or block, except when waiting for a VT to become activated. (If VT - * activation blocks forever, the kernel is probably horribly broken and - * would probably panic imminently anyway.) - */ - - const char *panic_on_oops_path = "/proc/sys/kernel/panic_on_oops"; - const char *panic_on_warn_path = "/proc/sys/kernel/panic_on_warn"; - - int ret = 0; - int tgt_vt = 0; - int sysctl_fd = 0; - - /* Turn off panic_on_oops. */ - sysctl_fd = open(panic_on_oops_path, O_WRONLY); - if (sysctl_fd != -1) { - /* We intentionally ignore the return from `write` here. */ -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wunused-result" - write(sysctl_fd, "0", 1); -#pragma GCC diagnostic pop - close(sysctl_fd); - } - - /* Turn off panic_on_warn. */ - sysctl_fd = open(panic_on_warn_path, O_WRONLY); - if (sysctl_fd != -1) { - /* We intentionally ignore the return from `write` here. */ -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wunused-result" - write(sysctl_fd, "0", 1); -#pragma GCC diagnostic pop - close(sysctl_fd); - } - - /* Determine which VT to switch to. Anything that isn't open yet will do. */ - ret = ioctl(console_fd, VT_OPENQRY, &tgt_vt); - if (ret == -1) { - goto trykill; - } - - /* Try to switch to it. */ - ret = ioctl(console_fd, VT_ACTIVATE, tgt_vt); - if (ret == -1) { - goto trykill; - } - - /* Wait for it to become active. */ - ioctl(console_fd, VT_WAITACTIVE, tgt_vt); - -trykill: - return syscall(SYS_reboot, LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2, - LINUX_REBOOT_CMD_POWER_OFF, NULL); -} - -/* Monitor for device removal and emergency shutdown key combos. */ -void hw_monitor(int argc, char **argv) { - /* Working variables */ - size_t target_dev_list_len = 0; - char **target_dev_name_raw_list = NULL; - size_t panic_key_list_len = 0; - char **panic_key_str_list = NULL; - char **target_dev_list = NULL; - uint32_t **panic_key_list = NULL; - bool *panic_key_active_list = NULL; - size_t event_fd_list_len = 0; - int *event_fd_list = NULL; - char input_path_buf[input_path_size]; - struct pollfd *pollfd_list = NULL; - struct input_event ie_buf[64]; - bool paranoid_mode = false; - - /* Index variables */ - int arg_idx = 0; - size_t tdl_idx = 0; - size_t tdp_char_idx = 0; - size_t pkl_idx = 0; - uint32_t input_idx = 0; - size_t efl_idx = 0; - int ie_idx = 0; - size_t kg_idx = 0; - - /* Socket management */ - struct sockaddr_nl sa = { 0 }; - int ns = 0; - int ret = 0; - - for (arg_idx = 1; arg_idx < argc; arg_idx++) { - if (strncmp(argv[arg_idx], "--devices=", strlen("--devices=")) == 0) { - if (target_dev_name_raw_list != NULL) { - print(fd_stderr, "--devices cannot be passed more than once!\n"); - print_usage(); - exit(1); - } - load_list(argv[arg_idx], &target_dev_list_len, &target_dev_name_raw_list, ",", true); - } else if (strcmp(argv[arg_idx], "--paranoid") == 0) { - paranoid_mode = true; - } else if (strncmp(argv[arg_idx], "--keys=", strlen("--keys=")) == 0) { - if (panic_key_str_list != NULL) { - print(fd_stderr, "--keys cannot be passed more than once!\n"); - print_usage(); - exit(1); - } - load_list(argv[arg_idx], &panic_key_list_len, &panic_key_str_list, ",", true); - } else { - print(fd_stderr, "Unrecognized argument '"); - print(fd_stderr, argv[arg_idx]); - print(fd_stderr, "' passed!\n"); - print_usage(); - exit(1); - } - } - if (target_dev_name_raw_list != NULL && paranoid_mode) { - print(fd_stderr, "--devices and --paranoid are mutually exclusive!\n"); - print_usage(); - exit(1); - } - - console_fd = open("/dev/console", O_RDWR); - if (console_fd == -1) { - print(fd_stderr, "Could not open /dev/console!\n"); - exit(1); - } - - target_dev_list = safe_calloc(target_dev_list_len, sizeof(char *)); - panic_key_list = safe_calloc(panic_key_list_len, sizeof(uint32_t *)); - panic_key_active_list = safe_calloc(panic_key_list_len, sizeof(bool)); - - for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) { - char *target_dev_path = target_dev_name_raw_list[tdl_idx]; - size_t device_path_slash_count = 0; - char *target_dev_parse = safe_calloc(1, strlen(target_dev_path) + 1); - char *target_dev_name = NULL; - - if (access(target_dev_path, F_OK) != 0) { - print(fd_stderr, "The device '"); - print(fd_stderr, target_dev_path); - print(fd_stderr, "' does not exist!\n"); - print_usage(); - exit(1); - } - - if (strncmp(target_dev_path, "/dev/sr", strlen("/dev/sr")) != 0 - && strncmp(target_dev_path, "/dev/nvme", strlen("/dev/nvme")) != 0 - && strncmp(target_dev_path, "/dev/sd", strlen("/dev/sd")) != 0 - && strncmp(target_dev_path, "/dev/mmc", strlen("/dev/mmc")) != 0 - && strncmp(target_dev_path, "/dev/vd", strlen("/dev/vd")) != 0 - && strncmp(target_dev_path, "/dev/xvd", strlen("/dev/xvd")) != 0 - && strncmp(target_dev_path, "/dev/hd", strlen("/dev/hd")) != 0) { - print(fd_stderr, "The device '"); - print(fd_stderr, target_dev_path); - print(fd_stderr, "' is not supported!\n"); - print_usage(); - exit(1); - } - - for (tdp_char_idx = 0; tdp_char_idx < strlen(target_dev_path); tdp_char_idx++) { - if (target_dev_path[tdp_char_idx] == '/') { - device_path_slash_count++; - } - } - if (device_path_slash_count != 2) { - print(fd_stderr, "The device '"); - print(fd_stderr, target_dev_path); - print(fd_stderr, "' is not supported!\n"); - print_usage(); - exit(1); - } - - memcpy(target_dev_parse, target_dev_path, strlen(target_dev_path) + 1); - - /* returns "dev" */ - target_dev_name = strtok(target_dev_parse, "/"); - /* returns the actual device name we want */ - target_dev_name = strtok(NULL, "/"); - if (target_dev_name == NULL) { - print(fd_stderr, "The device '"); - print(fd_stderr, target_dev_path); - print(fd_stderr, "' is not supported!\n"); - print_usage(); - exit(1); - } - - target_dev_list[tdl_idx] = calloc(1, strlen(target_dev_name) + 1); - memcpy(target_dev_list[tdl_idx], target_dev_name, strlen(target_dev_name) + 1); - free(target_dev_parse); - } - - for (pkl_idx = 0; pkl_idx < panic_key_list_len; pkl_idx++) { - size_t keygroup_str_list_len = 0; - char **keygroup_str_list = NULL; - uint32_t *pkl_element = NULL; - - load_list(panic_key_str_list[pkl_idx], &keygroup_str_list_len, &keygroup_str_list, "|", false); - pkl_element = safe_calloc(keygroup_str_list_len + 1, sizeof(uint32_t)); - - pkl_element[keygroup_str_list_len] = 0; - for (kg_idx = 0; kg_idx < keygroup_str_list_len; kg_idx++) { - uint32_t keycode = lookup_keycode(keygroup_str_list[kg_idx]); - if (keycode == 0) { - print(fd_stderr, "Invalid key code '"); - print(fd_stderr, keygroup_str_list[kg_idx]); - print(fd_stderr, "'!\n"); - print_usage(); - exit(1); - } - pkl_element[kg_idx] = keycode; - free(keygroup_str_list[kg_idx]); - } - - free(keygroup_str_list); - panic_key_list[pkl_idx] = pkl_element; - } - - /* Device event listener setup */ - sa.nl_family = AF_NETLINK; - sa.nl_pad = 0; - sa.nl_pid = (uint32_t)getpid(); - sa.nl_groups = NETLINK_KOBJECT_UEVENT; - ns = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); - if (ns < 0) { - print(fd_stderr, "Failed to create netlink socket!\n"); - exit(1); - } - ret = bind(ns, (struct sockaddr *) &sa, sizeof(sa)); - if (ret < 0) { - print(fd_stderr, "Failed to bind netlink socket!\n"); - exit(1); - } - - /* Keyboard event listener setup - * Heavily inspired by systemd/src/login/logind-button.c and - * kloak/src/main.c */ - for (input_idx = 0; input_idx <= max_inputs; input_idx++) { - int tmp_fd = 0; - uint64_t key_flags[key_flags_len]; - bool supports_panic = true; - char *loop_str = NULL; - - strcpy(input_path_buf, "/dev/input/event"); - loop_str = int_to_str(input_idx); - strcat(input_path_buf, loop_str); - free(loop_str); - - tmp_fd = open(input_path_buf, O_RDONLY | O_CLOEXEC | O_NOCTTY | O_NONBLOCK); - if (tmp_fd < 0) { - continue; - } - - if (ioctl(tmp_fd, EVIOCGBIT(EV_SYN, sizeof(key_flags)), key_flags) < 0) { - print(fd_stderr, "Failed to query properties of input device '"); - print(fd_stderr, input_path_buf); - print(fd_stderr, "'!\n"); - exit(1); - } - - if (!bitset_get(key_flags, EV_KEY)) { - continue; - } - - if (ioctl(tmp_fd, EVIOCGBIT(EV_KEY, sizeof(key_flags)), key_flags) < 0) { - print(fd_stderr, "Failed to query keys available on input device '"); - print(fd_stderr, input_path_buf); - print(fd_stderr, "'!\n"); - exit(1); - } - - for (pkl_idx = 0; pkl_idx < panic_key_list_len; pkl_idx++) { - for (kg_idx = 0; panic_key_list[pkl_idx][kg_idx] != 0; kg_idx++) { - if (!bitset_get(key_flags, panic_key_list[pkl_idx][kg_idx])) { - supports_panic = false; - break; - } - } - if (!supports_panic) { - break; - } - } - if (!supports_panic) { - continue; - } - - event_fd_list_len++; - event_fd_list = safe_reallocarray(event_fd_list, event_fd_list_len, sizeof(int)); - event_fd_list[event_fd_list_len - 1] = tmp_fd; - } - - if (event_fd_list_len == 0) { - print(fd_stderr, "Failed to find any input device supporting panic keys!\n"); - exit(1); - } - - /* Poll setup */ - pollfd_list = safe_calloc(event_fd_list_len + 1, sizeof(struct pollfd)); - for (efl_idx = 0; efl_idx < event_fd_list_len; efl_idx++) { - pollfd_list[efl_idx].fd = event_fd_list[efl_idx]; - pollfd_list[efl_idx].events = POLLIN; - } - pollfd_list[event_fd_list_len].fd = ns; - pollfd_list[event_fd_list_len].events = POLLIN; - - /* Event loop */ - while (poll(pollfd_list, event_fd_list_len + 1, -1) != -1) { - size_t ie_max_idx = 0; - - /* Panic key handler */ - for (efl_idx = 0; efl_idx < event_fd_list_len; efl_idx++) { - ssize_t ieread_bytes = 0; - if (!(pollfd_list[efl_idx].revents & POLLIN)) { - continue; - } - - ieread_bytes = read(event_fd_list[efl_idx], ie_buf, - sizeof(struct input_event) * 64); - - if (ieread_bytes <= 0 - || ((size_t)ieread_bytes % sizeof(struct input_event)) != 0) { - /* This will probably terminate the service if the user unplugs a - * keyboard or similar, however systemd can start it again. The - * alternative is to handle device hotplug, which sounds like a - * recipe for bugs. */ - print(fd_stderr, "Error reading from input device!\n"); - exit(1); - } - - ie_max_idx = (size_t)ieread_bytes / sizeof(struct input_event); - assert(ie_max_idx < INT_MAX); - for (ie_idx = 0; ie_idx < (int)(ie_max_idx); ie_idx++) { - if (ie_buf[ie_idx].type != EV_KEY) { - continue; - } - - for (pkl_idx = 0; pkl_idx < panic_key_list_len; pkl_idx++) { - for (kg_idx = 0; panic_key_list[pkl_idx][kg_idx] != 0; kg_idx++) { - if (ie_buf[ie_idx].code == panic_key_list[pkl_idx][kg_idx]) { - if (ie_buf[ie_idx].value == 0) { - panic_key_active_list[pkl_idx] = false; - } else { - panic_key_active_list[pkl_idx] = true; - } - break; /* only breaks inner loop */ - } - } - } - - for (pkl_idx = 0; pkl_idx < panic_key_list_len; pkl_idx++) { - if (!panic_key_active_list[pkl_idx]) { - break; - } - if (pkl_idx == (panic_key_list_len - 1)) { - kill_system(); - /*print(fd_stderr, "SHUTDOWN!!!\n");*/ - exit(0); - } - } - } - } - - /* Netlink socket handler */ - if (pollfd_list[event_fd_list_len].revents & POLLIN) { - /* - * So, you looked at `man 7 netlink`, then looked at this code, and can't - * figure out how on earth any of this makes sense? Well guess what, turns - * out NETLINK_KOBJECT_UEVENT messages break all of the rules about how - * netlink messages work specified in that manpage. What you actually - * get... well, depends. - * - * - The messages we actually want are just NUL-separated string lists. - * These are the actual kernel uevents. - * - Mixed in with those will be uevents generated by systemd-udevd, which - * use a different format and are unsuitable for our purposes. We have - * to ignore those. Thankfully those messages start with the - * NUL-terminated string "libudev" so they're easy to filter out. - */ - - ssize_t len; - char buf[16384]; - struct iovec iov = { buf, sizeof(buf) }; - struct sockaddr_nl sa2; - struct msghdr msg = { 0 }; - char *tmpbuf = NULL; - bool device_removed = false; - bool device_changed = false; - bool disk_media_changed = false; - - msg.msg_name = &sa2; - msg.msg_namelen = sizeof(sa2); - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_control = NULL; - msg.msg_controllen = 0; - msg.msg_flags = 0; - - len = recvmsg(ns, &msg, 0); - if (len == -1) { - kill_system(); - /*print(fd_stderr, "SHUTDOWN!!!\n");*/ - exit(0); - } - - if (len < 8) { - /* There aren't any super-short messages we're interested in, discard - * them */ - continue; - } - if (memcmp(buf, "libudev", 8) == 0) { - /* udevd message, ignore */ - continue; - } - - tmpbuf = buf; - while (len > 0) { - if (strcmp(tmpbuf, "ACTION=remove") == 0) { - device_removed = true; - goto next_str; - } - if (strcmp(tmpbuf, "ACTION=change") == 0) { - device_changed = true; - goto next_str; - } - if (strcmp(tmpbuf, "DISK_MEDIA_CHANGE=1") == 0) { - disk_media_changed = true; - goto next_str; - } - - if (strncmp(tmpbuf, "DEVNAME=", strlen("DEVNAME=")) == 0) { - if (device_removed || device_changed) { - char *rem_devname_line = NULL; - char *rem_dev_name = NULL; - - /* - * Try to allocate the memory needed to check DEVNAME in a loop. We - * really do not want to simply abort here due to an out of memory - * condition, because that would result in the shutdown never - * occurring. We also don't want to force a shutdown when memory - * runs out, as that could result in the user losing work because - * they opened too many browser tabs. - */ - while(true) { - rem_devname_line = calloc(1, strlen(tmpbuf) + 1); - if (rem_devname_line == NULL) { - print(fd_stderr, "Out of memory while parsing devname, retrying in one second\n"); - sleep(1); - continue; - } else { - break; - } - } - - memcpy(rem_devname_line, tmpbuf, strlen(tmpbuf) + 1); - /* returns DEVNAME */ - rem_dev_name = strtok(rem_devname_line, "="); - /* returns the actual device name */ - rem_dev_name = strtok(NULL, "="); - if (rem_dev_name == NULL) { - free(rem_devname_line); - goto next_str; - } - - if (device_changed && strncmp(rem_dev_name, "sr", 2) != 0) { - free(rem_devname_line); - goto next_str; - } - - if (device_changed && !disk_media_changed) { - free(rem_devname_line); - goto next_str; - } - - if (paranoid_mode) { - /* Something was removed, we don't care what, shut down now */ - kill_system(); - } - - for (tdl_idx = 0; tdl_idx < target_dev_list_len; tdl_idx++) { - if (strcmp(rem_dev_name, target_dev_list[tdl_idx]) == 0) { - kill_system(); - /*print(fd_stderr, "SHUTDOWN!!!\n");*/ - exit(0); - } - } - - free(rem_devname_line); - } - } - -next_str: - len = len - (ssize_t)(strlen(tmpbuf) + 1); - tmpbuf += strlen(tmpbuf) + 1; - } - } - } - - print(fd_stderr, "Hardware monitor poll gave up!\n"); - exit(1); -} - -/* - * Monitor for a kill command on a fifo. Two commands are recognized: - * - * - 'k': Instantly kill the system. - * - 'd': Wait 15 seconds, then kill the system. This is used to keep systemd - * from delaying shutdown excessively. - */ -void fifo_monitor(char **argv) { - long monitor_fifo_timeout = 0; - char *arg_copy = NULL; - char *arg_part = NULL; - char *arg_num_end = NULL; - const char *trigger_fifo_path = "/run/emerg-shutdown-trigger"; - int trigger_fifo_fd = 0; - struct pollfd trigger_fifo_poll = { 0 }; - char trigger_fifo_charbuf = '\0'; - ssize_t trigger_fifo_readlen = 0; - int sig_idx = 0; - struct sigaction sigact_swallow = { 0 }; - - if (strncmp(argv[2], "--timeout=", strlen("--timeout=")) != 0) { - print(fd_stderr, "Timeout not passed for --monitor-fifo!\n"); - print_usage(); - exit(1); - } - - arg_copy = safe_calloc(1, strlen(argv[2]) + 1); - memcpy(arg_copy, argv[2], strlen(argv[2]) + 1); - /* returns "--timeout" */ - arg_part = strtok(arg_copy, "="); - /* returns everything after the = sign */ - arg_part = strtok(NULL, ""); - errno = 0; - monitor_fifo_timeout = strtol(arg_part, &arg_num_end, 10); - if (errno == ERANGE || monitor_fifo_timeout > UINT_MAX) { - print(fd_stderr, "Timeout out of range!\n"); - print_usage(); - exit(1); - } - if (*arg_num_end != '\0') { - print(fd_stderr, "Timeout is not purely numeric!\n"); - print_usage(); - exit(1); - } - if (monitor_fifo_timeout < 1) { - print(fd_stderr, "Timeout is less than one!\n"); - print_usage(); - exit(1); - } - - free(arg_copy); - arg_copy = NULL; - arg_part = NULL; - arg_num_end = NULL; - - if (mkfifo(trigger_fifo_path, 0777) == -1) { - print(fd_stderr, "Cannot create trigger fifo!\n"); - exit(1); - } - - trigger_fifo_fd = open(trigger_fifo_path, O_RDONLY | O_NONBLOCK); - if (trigger_fifo_fd == -1) { - print(fd_stderr, "Cannot open trigger fifo for reading!\n"); - exit(1); - } - - trigger_fifo_poll.fd = trigger_fifo_fd; - trigger_fifo_poll.events = POLLIN; - - /* Swallow all signals that we can. */ - sigact_swallow.sa_handler = SIG_IGN; - for (sig_idx = 1; sig_idx < max_sig_num; sig_idx++) { - if (sig_idx == SIGSTOP) { - continue; - } - if (sig_idx == SIGKILL) { - continue; - } - if (sigaction(sig_idx, &sigact_swallow, NULL) == -1) { - print(fd_stderr, "Failed to set up signal ignores!\n"); - exit(1); - } - } - for (sig_idx = SIGRTMIN; sig_idx <= SIGRTMAX; sig_idx++) { - if (sigaction(sig_idx, &sigact_swallow, NULL) == -1) { - print(fd_stderr, "Failed to set up real-time signal ignores!\n"); - exit(1); - } - } - - while (poll(&trigger_fifo_poll, 1, -1) != -1) { - trigger_fifo_readlen = read(trigger_fifo_fd, &trigger_fifo_charbuf, 1); - if (trigger_fifo_readlen != 1) { - print(fd_stderr, "Error reading from trigger fifo!\n"); - exit(1); - } - if (trigger_fifo_charbuf == 'k') { - kill_system(); - } else if (trigger_fifo_charbuf == 'd') { - sleep((unsigned int)monitor_fifo_timeout); - kill_system(); - } - } - - print(fd_stderr, "Trigger fifo poll gave up!\n"); - exit(1); -} - -int main(int argc, char **argv) { - int monitor_mode = hw_monitor_val; - - /* Prerequisite check */ - if (getuid() != 0) { - print(fd_stderr, "This program must be run as root!\n"); - exit(1); - } - - if (argc < 2) { - print(fd_stderr, "Not enough arguments!\n"); - print_usage(); - exit(1); - } - - if (strcmp(argv[1], "--instant-shutdown") == 0) { - if (argc != 2) { - print(fd_stderr, "Too many arguments, --instant-shutdown must be passed alone!\n"); - print_usage(); - exit(1); - } - - kill_system(); - } - if (strcmp(argv[1], "--monitor-fifo") == 0) { - if (argc != 3) { - print(fd_stderr, "Wrong number of arguments for --monitor-fifo!\n"); - print_usage(); - exit(1); - } - - monitor_mode = fifo_monitor_val; - } - - if (monitor_mode == hw_monitor_val) { - /* hw_monitor handles its own argument parsing */ - hw_monitor(argc, argv); - } else if (monitor_mode == fifo_monitor_val) { - /* fifo_monitor handles its own argument parsing */ - fifo_monitor(argv); - } else { - print(fd_stderr, "Unknown monitor mode chosen!\n"); - print_usage(); - exit(1); - } -} diff --git a/var/cache/security-misc/state-files/placeholder#security-misc-shared b/var/cache/security-misc/state-files/placeholder similarity index 100% rename from var/cache/security-misc/state-files/placeholder#security-misc-shared rename to var/cache/security-misc/state-files/placeholder